Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
Session cookie should use "Max-Age" instead of "Expires" #794
Originally reported by: Anonymous
In [source:branches/cherrypy-2.x/cherrypy/filters/sessionfilter.py sessionfilter.py](CherryPy 2.x) resp. [source:trunk/cherrypy/lib/sessions.py sessions.py](CherryPy 3.x), the expiration time for the session cookie is set using the "Expires" attribute (as an absolute timestamp), instead of the "Max-age" attribute (a time delta).
A comment in the CherryPy code states that this is done to have the cookie saved to disk if people close the browser, and it is considered as a workaround for an alleged bug in MSIE. TurboGears copied this idea for its own "visit" package, but it turned out that it has several drawbacks:
Therefore, we reverted this in TurboGears (see [http://trac.turbogears.org/ticket/1729 ticket 1729]) and now set "Max-age" again, instead of "Expires." We think that this should be changed in CherryPy, too.
Reported by email@example.com
Original comment by Anonymous:
I have to emend some of what I said above. It seems that it is really not a security feature, but ignorance, that MSIE 7 does not make cookies with "Max-Age" permanent. It seems to ignore the attribute completely. So a better fix would be not replacing Expires with Max-Age, but setting Max-Age in ''addition'' to Expires. It will then take precedence in well-behaving browsers and it solves the third problem mentioned at least for these browsers. This is how we implemented it in TurboGears now. Additionally, we introduced a setting "visit.cookie.permanent" that is False by default and must be set to True in order to set these attributes. Otherwise, both will not be set. In this case, we have a true Session cookie which is not stored when the browser is closed, and the timeout while the browser is open is enforced only by TurboGear's visit manager, not by the cookie. You could do the same in CherryPy, since there is also a separate timeout for the session data anyway.