Session cookie should use "Max-Age" instead of "Expires"

[ghost]

Originally reported by: Anonymous

---

In [source:branches/cherrypy-2.x/cherrypy/filters/sessionfilter.py sessionfilter.py](CherryPy 2.x) resp. [source:trunk/cherrypy/lib/sessions.py sessions.py](CherryPy 3.x), the expiration time for the session cookie is set using the "Expires" attribute (as an absolute timestamp), instead of the "Max-age" attribute (a time delta).

A comment in the CherryPy code states that this is done to have the cookie saved to disk if people close the browser, and it is considered as a workaround for an alleged bug in MSIE. TurboGears copied this idea for its own "visit" package, but it turned out that it has several drawbacks:

• Using the "Expires" attribute turns the cookie into a permanent cookie that is treated differently in the browser (particularly MSIE), depending on the security level it is in. It can be that permanent cookies are blocked completely, while session cookies (without "Expires" attribute) are still allowed.
• Though this is convenient, it is a security problem. That cookies are not saved without setting "Expires" is really not a bug, a security feature. I don't think it is a good idea to save a session cookie to disk. If you close your browser and leave your PC, anybody else can recover your session within the given session timeout.
• You get problems if the times and timezones on server and client are out of sync. This cannot happen with the "Max-Age" attribute because it is only a time delta.

Therefore, we reverted this in TurboGears (see [http://trac.turbogears.org/ticket/1729 ticket 1729]) and now set "Max-age" again, instead of "Expires." We think that this should be changed in CherryPy, too.

Reported by cito@online.de

---

• Bitbucket: https://bitbucket.org/cherrypy/cherrypy/issue/794

[ghost]

Original comment by Anonymous:

---

I have to emend some of what I said above. It seems that it is really not a security feature, but ignorance, that MSIE 7 does not make cookies with "Max-Age" permanent. It seems to ignore the attribute completely. So a better fix would be not replacing Expires with Max-Age, but setting Max-Age in ''addition'' to Expires. It will then take precedence in well-behaving browsers and it solves the third problem mentioned at least for these browsers. This is how we implemented it in TurboGears now. Additionally, we introduced a setting "visit.cookie.permanent" that is False by default and must be set to True in order to set these attributes. Otherwise, both will not be set. In this case, we have a true Session cookie which is not stored when the browser is closed, and the timeout while the browser is open is enforced only by TurboGear's visit manager, not by the cookie. You could do the same in CherryPy, since there is also a separate timeout for the session data anyway.