Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#32757 closed Bug (invalid)

CSRF cookies are not issued once expired if the session cookie is still valid

Reported by: Luke Sapan Owned by: nobody
Component: CSRF Version: 3.2
Severity: Normal Keywords: csrf, cookie age
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


Currently, if someone sets SESSION_COOKIE_AGE beyond a year without also extending CSRF_COOKIE_AGE, their users are going to start running into CSRF errors. There may be a reason for it, but Django won't issue a new CSRF token once it expires if the user still has a valid session cookie.

I'm not sure if there's a security reason for this (I can't think of one), but even if there is, it would make sense to add a warning during startup if SESSION_COOKIE_AGE > CSRF_COOKIE_AGE.

Change History (3)

comment:1 by Carlton Gibson, 3 years ago

Hi Luke.

Can I ask you to spell out this in a test case or sample project:

Django won't issue a new CSRF token once it expires if the user still has a valid session cookie

Initially that would sound like a bug, but there could be lots going on, and I'm imagining it would be quicker for you to narrow it down to the exact reproduce.

Example in hand it's much easier to look at.
Thanks! 🙂

comment:2 by Luke Sapan, 3 years ago

Resolution: invalid
Status: newclosed

Hi Carlton,

Thanks for getting back! I went to create a minimal repro, and it turns out that it actually is working correctly. My site seems to be experiencing this issue because of the way it is interacting with Django REST Framework. In any case, Django is all set, thanks!

comment:3 by Carlton Gibson, 3 years ago

Thanks for the follow-up Luke 👍

Note: See TracTickets for help on using tickets.
Back to Top