-
Notifications
You must be signed in to change notification settings - Fork 155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No 'Max-Age' #38
Comments
What is the use-case supported by MaxAge=0?
|
Session cookies with no 'Max-Age' and 'Expires' are often used to store the state of an anonymous user. The default behavior of a cookie is defined officially in |
Thanks. I'm aware of the RFC: I wanted to understand how your application worked in this regard. Since gorilla/csrf does not set the MaxAge field (for wider browser compatibility) the fix is pretty simple: // Set the Expires field on the cookie based on the MaxAge
if cs.maxAge > 0 {
cookie.Expires = time.Now().Add(
time.Duration(cs.maxAge) * time.Second)
- } else {
+ } else if cs.maxAge < 0 {
cookie.Expires = time.Unix(1, 0)
} (I'll push a change tomorrow unless you want to submit a PR and a test case) |
Thank you. I'll leave it to you. |
- As per #38 - we now support a MaxAge of 0 to allow for session cookie support. gorilla/csrf's CSRF tokens are designed to be reasonably long lived (12 hours), but there are some applications that require this. - Note that setting a MaxAge < 0 will default to 12 hours, so you must explcitly set csrf.MaxAge(0) to invoke this behaviour.
- As per #38 - we now support a MaxAge of 0 to allow for session cookie support. gorilla/csrf's CSRF tokens are designed to be reasonably long lived (12 hours), but there are some applications that require this. - Note that setting a MaxAge < 0 will default to 12 hours, so you must explcitly set csrf.MaxAge(0) to invoke this behaviour.
LGTM. Thanks a lot. |
If a cookie has no 'Max-Age', it generally expires when the web browser closes.
Golang's Cookie supports this feature.
See https://golang.org/pkg/net/http/#Cookie
Currently gorilla/csrf don't seem to support the feature and set Max-Age to 12 hours instead.
I think gorilla/csrf should not set Max-Age if the user explicitly set the MaxAge option to 0
and should set Max-Age to 12 hours for compatibility if the user don't pass the MaxAge option.
What do you think?
The text was updated successfully, but these errors were encountered: