#32757 closed Bug (invalid)
CSRF cookies are not issued once expired if the session cookie is still valid
| Reported by: | Luke Sapan | Owned by: | nobody |
|---|---|---|---|
| Component: | CSRF | Version: | 3.2 |
| Severity: | Normal | Keywords: | csrf, cookie age |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Currently, if someone sets SESSION_COOKIE_AGE beyond a year without also extending CSRF_COOKIE_AGE, their users are going to start running into CSRF errors. There may be a reason for it, but Django won't issue a new CSRF token once it expires if the user still has a valid session cookie.
I'm not sure if there's a security reason for this (I can't think of one), but even if there is, it would make sense to add a warning during startup if SESSION_COOKIE_AGE > CSRF_COOKIE_AGE.
Change History (3)
comment:1 by , 3 years ago
comment:2 by , 3 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
Hi Carlton,
Thanks for getting back! I went to create a minimal repro, and it turns out that it actually is working correctly. My site seems to be experiencing this issue because of the way it is interacting with Django REST Framework. In any case, Django is all set, thanks!
Hi Luke.
Can I ask you to spell out this in a test case or sample project:
Initially that would sound like a bug, but there could be lots going on, and I'm imagining it would be quicker for you to narrow it down to the exact reproduce.
Example in hand it's much easier to look at.
Thanks! 🙂