New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Session cookie should use "Max-Age" instead of "Expires" #794

Closed
bb-migration opened this Issue Mar 7, 2008 · 1 comment

Comments

Projects
None yet
1 participant
@bb-migration

bb-migration commented Mar 7, 2008

Originally reported by: Anonymous


In [source:branches/cherrypy-2.x/cherrypy/filters/sessionfilter.py sessionfilter.py](CherryPy 2.x) resp. [source:trunk/cherrypy/lib/sessions.py sessions.py](CherryPy 3.x), the expiration time for the session cookie is set using the "Expires" attribute (as an absolute timestamp), instead of the "Max-age" attribute (a time delta).

A comment in the CherryPy code states that this is done to have the cookie saved to disk if people close the browser, and it is considered as a workaround for an alleged bug in MSIE. TurboGears copied this idea for its own "visit" package, but it turned out that it has several drawbacks:

  • Using the "Expires" attribute turns the cookie into a permanent cookie that is treated differently in the browser (particularly MSIE), depending on the security level it is in. It can be that permanent cookies are blocked completely, while session cookies (without "Expires" attribute) are still allowed.
  • Though this is convenient, it is a security problem. That cookies are not saved without setting "Expires" is really not a bug, a security feature. I don't think it is a good idea to save a session cookie to disk. If you close your browser and leave your PC, anybody else can recover your session within the given session timeout.
  • You get problems if the times and timezones on server and client are out of sync. This cannot happen with the "Max-Age" attribute because it is only a time delta.

Therefore, we reverted this in TurboGears (see [http://trac.turbogears.org/ticket/1729 ticket 1729]) and now set "Max-age" again, instead of "Expires." We think that this should be changed in CherryPy, too.

Reported by cito@online.de


@bb-migration

This comment has been minimized.

Show comment
Hide comment
@bb-migration

bb-migration Mar 7, 2008

Original comment by Anonymous:


I have to emend some of what I said above. It seems that it is really not a security feature, but ignorance, that MSIE 7 does not make cookies with "Max-Age" permanent. It seems to ignore the attribute completely. So a better fix would be not replacing Expires with Max-Age, but setting Max-Age in ''addition'' to Expires. It will then take precedence in well-behaving browsers and it solves the third problem mentioned at least for these browsers. This is how we implemented it in TurboGears now. Additionally, we introduced a setting "visit.cookie.permanent" that is False by default and must be set to True in order to set these attributes. Otherwise, both will not be set. In this case, we have a true Session cookie which is not stored when the browser is closed, and the timeout while the browser is open is enforced only by TurboGear's visit manager, not by the cookie. You could do the same in CherryPy, since there is also a separate timeout for the session data anyway.

bb-migration commented Mar 7, 2008

Original comment by Anonymous:


I have to emend some of what I said above. It seems that it is really not a security feature, but ignorance, that MSIE 7 does not make cookies with "Max-Age" permanent. It seems to ignore the attribute completely. So a better fix would be not replacing Expires with Max-Age, but setting Max-Age in ''addition'' to Expires. It will then take precedence in well-behaving browsers and it solves the third problem mentioned at least for these browsers. This is how we implemented it in TurboGears now. Additionally, we introduced a setting "visit.cookie.permanent" that is False by default and must be set to True in order to set these attributes. Otherwise, both will not be set. In this case, we have a true Session cookie which is not stored when the browser is closed, and the timeout while the browser is open is enforced only by TurboGear's visit manager, not by the cookie. You could do the same in CherryPy, since there is also a separate timeout for the session data anyway.

@jaraco jaraco closed this in 96d251c Jan 23, 2017

webknjaz added a commit that referenced this issue Sep 30, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment