IE doesn't support cookie's max-age, so the CSRF cookie is not kept
|Reported by:||master||Owned by:||nobody|
|Severity:||Keywords:||csrf, cookie, IE|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
In django\middleware\csrf.py, class CsrfViewMiddleware, process_response(), the set_cookie() sets a 'max_age' argument but no 'expires' argument.
IE doesn't consider the max-age attribute, so the behaviour is the same as not setting any lifetime to the cookie.
This problem can be solved by the patch proposed in ticket #13548
If that patch is not accepted, then you have to set the parameter yourself, as in the patch attached to this ticket.