New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
django-agent-trust sets an unbounded number of cookies #9
Comments
In general terms, if a large number of Django users on a site trust a single user agent, that user agent acquires a similarly large number of django-agent-trust cookies. I believe django-agent-trust currently sets a cookie for both trusted and untrusted agents; one improvement that might make sense is to only set cookies for trusted agents (and delete obsolete ones). This assumes that you're not actually trusting the agent for all of these different accounts. A second mitigation might be to limit the number of cookies we set. There could be an |
Thank you for taking the time to consider this and respond
At the moment we override the entire |
I just pushed a proposed fix to the cookie-actions branch. This should clear out cookies for untrusted agents as well as adding a subclass hook for more complex cookie policies. Have a look and/or give it a whirl and let me know if this seems like it will do what you need. |
Hey @psagers,
|
We have a project where there are a multitude of support accounts that a handful of people use. Every week or so, they get a "400 Bad Request - Request Header or Cookie Too Large" error and have to clear out all cookies.
The text was updated successfully, but these errors were encountered: