Ticket #512 (defect)
Opened 2 years ago
Last modified 2 years ago
settings 'expires' attribute for Cookies should be optional (diff included)
Status: reopened
| Reported by: | anonymous | Assigned to: | rdelon |
|---|---|---|---|
| Priority: | normal | Milestone: | 2.2.2 |
| Component: | CherryPy code | Keywords: | session cookie expires |
| Cc: |
Previous fixes to the cookie's "expires" (and not "max-age") attributes are not optional.
When the 'expires' flag is present, tested browsers (IE, Firefox) make the cookie persistent across browser restarts, and depend on that setting for invalidation. When the 'expires' flag is absent, the browser makes the cookie memory only, and destroys it when the browser process stops. When using HTTP based authentication, restarting the browser is often the only way to login as a different user, and as such, forcing the browser to destroy the cookie is necessary, otherwise, sessions live on into new logins.
Attached is a simple diff that allows for this by settings session_filter.timeout to 0.
Attachments
Change History
04/21/06 10:55:41: Modified by anonymous
- attachment cp-session_timeout.diff added.
06/29/06 18:50:33: Modified by fumanchu
- status changed from new to closed.
- resolution set to fixed.
12/09/06 18:13:02: Modified by fumanchu
2.x fix in [1505].
01/23/07 09:01:42: Modified by andy.kilner@qustom.co.uk
- status changed from closed to reopened.
- resolution deleted.
After looking at the code for session_timeout it appears that although session cookies (that is, cookies which expire at the end of the user's browser session) are available by setting the session_timeout to 0, the session itself then expires immediately.
I'll attach a patch which adds session_filter.session_cookie as a flag to set when the cookie should expire at the end of the browser session but session_filter.session_timeout will still effect how long the session data is held.
01/23/07 09:03:35: Modified by andy.kilner@qustom.co.uk
- attachment cp-session_cookie.diff added.
Patch to add session_cookie
02/20/07 05:54:07: Modified by guest
- milestone set to 2.2.2.
Fixed in [1177].