Skip to content

Fixed #22185 -- Added settings.CSRF_COOKIE_AGE #2387

Closed
wants to merge 1 commit into from

3 participants

@rogerhu
rogerhu commented Mar 2, 2014

Internet Explorer has the ability to block/disable persistent cookies, and corruption of the index.dat cache
(i.e. to disk errors) can cause Django sites to authenticate correctly but fail to do FORM POST's. To
avoid this behavior, provide the option to configure the CSRF cookie age and set it to be None to be session-based.

Test added and documentation updated.

https://code.djangoproject.com/ticket/22185

@rogerhu rogerhu restored the rogerhu:django_csrf_age branch Mar 2, 2014
@timgraham timgraham and 1 other commented on an outdated diff Mar 3, 2014
docs/ref/settings.txt
@@ -320,6 +320,15 @@ See :doc:`/topics/cache`.
.. _settings-csrf:
+CSRF_COOKIE_AGE
@timgraham
Django member
timgraham added a note Mar 3, 2014

Add .. setting:: CSRF_COOKIE_AGE above this for generating links.

There's also a list of settings on this page that should be updated and it should be added to ref/contrib/csrf.txt as well.

@rogerhu
rogerhu added a note Mar 3, 2014

Thanks both issues fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@timgraham
Django member

I've read the description and ticket and am still not quite sure about the rationale. Perhaps if you expanded the docs to how (what value) and why someone would change this value from the default that would help.

@rogerhu
rogerhu commented Mar 3, 2014

Updated the documentation. The reason is to avoid using on-disk storage by being able to set the cookie age to be None. Can you take a look?

@timgraham
Django member

@PaulMcMillan does this look ok to you?

@PaulMcMillan

@timgraham yes, this looks good to me.

I would like to also see a test for the value None, to make sure that works as the docs say it does.

@rogerhu rogerhu Allow CSRF cookie age to be adjusted.
Internet Explorer has the ability to block/disable persistent cookies (http://support.microsoft.com/kb/196955), and corruption of the index.dat cache
(i.e. disk errors that need to be repaired via CHKDSK) can cause Django sites to authenticate correctly but fail to do FORM POST's.  To
avoid this behavior, provide the option to configure the CSRF cookie age so that cookies can be configured to be persistent or session-based.

Test added and documentation updated.
f7318cd
@rogerhu
rogerhu commented Mar 6, 2014

@PaulMcMillan test added.

@PaulMcMillan

@rogerhu looks good to me. Thanks for patching this. In addition to solving your issue, it's going to reduce the frequency of complaints from a certain class of pentesters whose tools complain without understanding what's going on.

@timgraham
Django member

merged in 9b729dd, thanks. I tried to clarify the wording of the documentation a bit - let me know if you see any problems.

@timgraham timgraham closed this Mar 6, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.