[CherryPy] #794: Session cookie should use "Max-Age" instead of "Expires"
0 views
Skip to first unread message
CherryPy
Mar 7, 2008, 8:00:15 AM3/7/08
to cherrypy...@googlegroups.com
#794: Session cookie should use "Max-Age" instead of "Expires"
----------------------------+-----------------------------------------------
Reporter: ci...@online.de | Owner: rdelon
Type: defect | Status: new
Priority: normal | Milestone:
Component: CherryPy code | Keywords: session timeout expires max-age
----------------------------+-----------------------------------------------
In [source:branches/cherrypy-2.x/cherrypy/filters/sessionfilter.py
sessionfilter.py] (CherryPy 2.x) resp.
[source:trunk/cherrypy/lib/sessions.py sessions.py] (CherryPy 3.x), the
expiration time for the session cookie is set using the "Expires"
attribute (as an absolute timestamp), instead of the "Max-age" attribute
(a time delta).
A comment in the CherryPy code states that this is done to have the cookie
saved to disk if people close the browser, and it is considered as a
workaround for an alleged bug in MSIE. TurboGears copied this idea for its
own "visit" package, but it turned out that it has several drawbacks:
* Using the "Expires" attribute turns the cookie into a permanent cookie
that is treated differently in the browser (particularly MSIE), depending
on the security level it is in. It can be that permanent cookies are
blocked completely, while session cookies (without "Expires" attribute)
are still allowed.
* Though this is convenient, it is a security problem. That cookies are
not saved without setting "Expires" is really not a bug, a security
feature. I don't think it is a good idea to save a session cookie to disk.
If you close your browser and leave your PC, anybody else can recover your
session within the given session timeout.
* You get problems if the times and timezones on server and client are
out of sync. This cannot happen with the "Max-Age" attribute because it is
only a time delta.
Therefore, we reverted this in TurboGears (see
[http://trac.turbogears.org/ticket/1729 ticket 1729]) and now set "Max-
age" again, instead of "Expires." We think that this should be changed in
CherryPy, too.
--
Ticket URL: <http://www.cherrypy.org/ticket/794>
CherryPy <http://www.cherrypy.org>
CherryPy - a pythonic, object-oriented HTTP framework
----------------------------+-----------------------------------------------
Reporter: ci...@online.de | Owner: rdelon
Type: defect | Status: new
Priority: normal | Milestone:
Component: CherryPy code | Keywords: session timeout expires max-age
----------------------------+-----------------------------------------------
In [source:branches/cherrypy-2.x/cherrypy/filters/sessionfilter.py
sessionfilter.py] (CherryPy 2.x) resp.
[source:trunk/cherrypy/lib/sessions.py sessions.py] (CherryPy 3.x), the
expiration time for the session cookie is set using the "Expires"
attribute (as an absolute timestamp), instead of the "Max-age" attribute
(a time delta).
A comment in the CherryPy code states that this is done to have the cookie
saved to disk if people close the browser, and it is considered as a
workaround for an alleged bug in MSIE. TurboGears copied this idea for its
own "visit" package, but it turned out that it has several drawbacks:
* Using the "Expires" attribute turns the cookie into a permanent cookie
that is treated differently in the browser (particularly MSIE), depending
on the security level it is in. It can be that permanent cookies are
blocked completely, while session cookies (without "Expires" attribute)
are still allowed.
* Though this is convenient, it is a security problem. That cookies are
not saved without setting "Expires" is really not a bug, a security
feature. I don't think it is a good idea to save a session cookie to disk.
If you close your browser and leave your PC, anybody else can recover your
session within the given session timeout.
* You get problems if the times and timezones on server and client are
out of sync. This cannot happen with the "Max-Age" attribute because it is
only a time delta.
Therefore, we reverted this in TurboGears (see
[http://trac.turbogears.org/ticket/1729 ticket 1729]) and now set "Max-
age" again, instead of "Expires." We think that this should be changed in
CherryPy, too.
--
Ticket URL: <http://www.cherrypy.org/ticket/794>
CherryPy <http://www.cherrypy.org>
CherryPy - a pythonic, object-oriented HTTP framework
CherryPy
Mar 7, 2008, 12:36:59 PM3/7/08
to cherrypy...@googlegroups.com
#794: Session cookie should use "Max-Age" instead of "Expires"
---------------------------------------------+------------------------------
Component: CherryPy code | Resolution:
Keywords: session timeout expires max-age |
---------------------------------------------+------------------------------
Comment (by ci...@online.de):
I have to emend some of what I said above. It seems that it is really not
a security feature, but ignorance, that MSIE 7 does not make cookies with
"Max-Age" permanent. It seems to ignore the attribute completely. So a
better fix would be not replacing Expires with Max-Age, but setting Max-
Age in ''addition'' to Expires. It will then take precedence in well-
behaving browsers and it solves the third problem mentioned at least for
these browsers. This is how we implemented it in TurboGears now.
Additionally, we introduced a setting "visit.cookie.permanent" that is
False by default and must be set to True in order to set these attributes.
Otherwise, both will not be set. In this case, we have a true Session
cookie which is not stored when the browser is closed, and the timeout
while the browser is open is enforced only by TurboGear's visit manager,
not by the cookie. You could do the same in CherryPy, since there is also
a separate timeout for the session data anyway.
Reply all
Reply to author
Forward
0 new messages