[Django] #32757: CSRF cookies are not issued once expired if the session cookie is still valid

[Django]

#32757: CSRF cookies are not issued once expired if the session cookie is still
valid
--------------------------------------+----------------------------------
Reporter: Luke Sapan | Owner: nobody
Type: Bug | Status: new
Component: CSRF | Version: 3.2
Severity: Normal | Keywords: csrf, cookie age
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
--------------------------------------+----------------------------------
Currently, if someone sets `SESSION_COOKIE_AGE` beyond a year without also
extending `CSRF_COOKIE_AGE`, their users are going to start running into
CSRF errors. There may be a reason for it, but Django won't issue a new
CSRF token once it expires if the user still has a valid session cookie.

I'm not sure if there's a security reason for this (I can't think of one),
but even if there is, it would make sense to add a warning during startup
if `SESSION_COOKIE_AGE > CSRF_COOKIE_AGE`.

--
Ticket URL: <https://code.djangoproject.com/ticket/32757>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#32757: CSRF cookies are not issued once expired if the session cookie is still
valid

----------------------------------+--------------------------------------

Reporter: Luke Sapan | Owner: nobody
Type: Bug | Status: new
Component: CSRF | Version: 3.2

Severity: Normal | Resolution:

Keywords: csrf, cookie age | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

----------------------------------+--------------------------------------

Comment (by Carlton Gibson):

Hi Luke.

Can I ask you to spell out this in a test case or sample project:

> Django won't issue a new CSRF token once it expires if the user still
has a valid session cookie

Initially that would sound like a bug, but there could be lots going on,
and I'm imagining it would be quicker for you to narrow it down to the
exact reproduce.

Example in hand it's much easier to look at.
Thanks! 🙂

--
Ticket URL: <https://code.djangoproject.com/ticket/32757#comment:1>

[Django]

#32757: CSRF cookies are not issued once expired if the session cookie is still
valid

----------------------------------+--------------------------------------

Reporter: Luke Sapan | Owner: nobody

Type: Bug | Status: closed
Component: CSRF | Version: 3.2
Severity: Normal | Resolution: invalid

Keywords: csrf, cookie age | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

----------------------------------+--------------------------------------
Changes (by Luke Sapan):

* status: new => closed
* resolution: => invalid

Comment:

Hi Carlton,

Thanks for getting back! I went to create a minimal repro, and it turns
out that it actually is working correctly. My site seems to be
experiencing this issue because of the way it is interacting with Django
REST Framework. In any case, Django is all set, thanks!

--
Ticket URL: <https://code.djangoproject.com/ticket/32757#comment:2>

[Django]

#32757: CSRF cookies are not issued once expired if the session cookie is still
valid

----------------------------------+--------------------------------------

Reporter: Luke Sapan | Owner: nobody

Type: Bug | Status: closed
Component: CSRF | Version: 3.2
Severity: Normal | Resolution: invalid

Keywords: csrf, cookie age | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

----------------------------------+--------------------------------------

Comment (by Carlton Gibson):

Thanks for the follow-up Luke 👍

--
Ticket URL: <https://code.djangoproject.com/ticket/32757#comment:3>