Purpose of max_age_days when getting a secure cookie?

[nasequilirbium nashequilibrium]

I understand the purpose of expires_days=30 when setting a secure cookie but what is the purpose of  max_age_days=31 when getting a secure cookie?

RequestHandler.set_secure_cookie(name, value, expires_days=30, version=None, **kwargs)
         Signs and timestamps a cookie so it cannot be forged.

RequestHandler.get_secure_cookie(name, value=None, max_age_days=31, min_version=None)

Returns the given signed cookie if it validates, or None.

[Ben Darnell]

On Mon, Jun 30, 2014 at 3:51 PM, nasequilirbium nashequilibrium <kerwin...@gmail.com> wrote:

I understand the purpose of expires_days=30 when setting a secure cookie but what is the purpose of  max_age_days=31 when getting a secure cookie?

This is subtle and under-documented, but in general if you set one of these you should probably set the other too.  The expires_days on set_secure_cookie instructs the user's browser to discard the cookie after that many days, while the max_age_days on get_secure_cookie is the oldest cookie the server will accept.  They are separate so you can use different max_age_days for different operations (for example, you might use max_age_days=1 when the user is about to change their billing information and 31 otherwise).  Since browsers will discard cookies after expires_days, it seldom makes sense to have max_age_days be greater than that.

-Ben

 

RequestHandler.set_secure_cookie(name, value, expires_days=30, version=None, **kwargs)
         Signs and timestamps a cookie so it cannot be forged.

RequestHandler.get_secure_cookie(name, value=None, max_age_days=31, min_version=None)

Returns the given signed cookie if it validates, or None.

--
You received this message because you are subscribed to the Google Groups "Tornado Web Server" group.
To unsubscribe from this group and stop receiving emails from it, send an email to python-tornad...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[nasequilirbium nashequilibrium]

Thanks for the quick reply Ben. I never noticed that before, i would always just set the set_secure_cookie timer, until reading that part of the docs today.