Opened 15 years ago
Closed 15 years ago
#13549 closed (duplicate)
IE doesn't support cookie's max-age, so the CSRF cookie is not kept
| Reported by: | master | Owned by: | nobody |
|---|---|---|---|
| Component: | HTTP handling | Version: | dev |
| Severity: | Keywords: | csrf, cookie, IE | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
In django\middleware\csrf.py, class CsrfViewMiddleware, process_response(), the set_cookie() sets a 'max_age' argument but no 'expires' argument.
IE doesn't consider the max-age attribute, so the behaviour is the same as not setting any lifetime to the cookie.
This problem can be solved by the patch proposed in ticket #13548
If that patch is not accepted, then you have to set the parameter yourself, as in the patch attached to this ticket.
Attachments (1)
Change History (2)
by , 15 years ago
comment:1 by , 15 years ago
| Resolution: | → duplicate |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
I'm going to close this as a dupe of #13548 -- This isn't something that should be fixed piecemeal; it should be fixed once so all cookies work as expected (well... the real fix is for IE to actually pay attention to published standards, but thats wishful thinking).
On a practical note, this specific incarnation of the bug shouldn't have too much of an impact - CSRF tokens shouldn't have any reason to persist beyond a browser session anyway, since they should generally be very short lived.