You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The handling of MaxAge is confusing with respect to 0 or negative ages.
In csrf.go:
if cs.opts.MaxAge < 1 {
// Default of 12 hours
cs.opts.MaxAge = defaultAge
}
In store.go:
// Set the Expires field on the cookie based on the MaxAge
if cs.maxAge > 0 {
cookie.Expires = time.Now().Add(
time.Duration(cs.maxAge) * time.Second)
} else {
cookie.Expires = time.Unix(1, 0)
}
Perhaps we just remove the if condition in store.go?
The text was updated successfully, but these errors were encountered:
The reason for the second case is to allow expiring cookies. During store initialization we don't want to allow a MaxAge < 1 (which would not be useful), but when saving the store being able to set the MaxAge to -1 (which forces a cookie expiry in normal browser clients) is useful.
The functionality to expire cookies isn't included now but was something I was considering to allow for refreshing the CSRF token.
The handling of MaxAge is confusing with respect to 0 or negative ages.
In csrf.go:
In store.go:
Perhaps we just remove the if condition in store.go?
The text was updated successfully, but these errors were encountered: