No 'Max-Age' #38
Comments
|
What is the use-case supported by MaxAge=0?
|
|
Session cookies with no 'Max-Age' and 'Expires' are often used to store the state of an anonymous user. The default behavior of a cookie is defined officially in |
|
Thanks. I'm aware of the RFC: I wanted to understand how your application worked in this regard. Since gorilla/csrf does not set the MaxAge field (for wider browser compatibility) the fix is pretty simple: // Set the Expires field on the cookie based on the MaxAge
if cs.maxAge > 0 {
cookie.Expires = time.Now().Add(
time.Duration(cs.maxAge) * time.Second)
- } else {
+ } else if cs.maxAge < 0 {
cookie.Expires = time.Unix(1, 0)
}(I'll push a change tomorrow unless you want to submit a PR and a test case) |
Thank you. I'll leave it to you. |
- As per #38 - we now support a MaxAge of 0 to allow for session cookie support. gorilla/csrf's CSRF tokens are designed to be reasonably long lived (12 hours), but there are some applications that require this. - Note that setting a MaxAge < 0 will default to 12 hours, so you must explcitly set csrf.MaxAge(0) to invoke this behaviour.
- As per #38 - we now support a MaxAge of 0 to allow for session cookie support. gorilla/csrf's CSRF tokens are designed to be reasonably long lived (12 hours), but there are some applications that require this. - Note that setting a MaxAge < 0 will default to 12 hours, so you must explcitly set csrf.MaxAge(0) to invoke this behaviour.
|
LGTM. Thanks a lot. |
If a cookie has no 'Max-Age', it generally expires when the web browser closes.
Golang's Cookie supports this feature.
See https://golang.org/pkg/net/http/#Cookie
Currently gorilla/csrf don't seem to support the feature and set Max-Age to 12 hours instead.
I think gorilla/csrf should not set Max-Age if the user explicitly set the MaxAge option to 0
and should set Max-Age to 12 hours for compatibility if the user don't pass the MaxAge option.
What do you think?
The text was updated successfully, but these errors were encountered: