Issue #512 wontfix

[Patch] settings 'expires' attribute for Cookies should be optional (diff included)

created an issue

Previous fixes to the cookie's "expires" (and not "max-age") attributes are not optional.

When the 'expires' flag is present, tested browsers (IE, Firefox) make the cookie persistent across browser restarts, and depend on that setting for invalidation. When the 'expires' flag is absent, the browser makes the cookie memory only, and destroys it when the browser process stops. When using HTTP based authentication, restarting the browser is often the only way to login as a different user, and as such, forcing the browser to destroy the cookie is necessary, otherwise, sessions live on into new logins.

Attached is a simple diff that allows for this by settings session_filter.timeout to 0.

Comments (8)

  1. Anonymous

    After looking at the code for session_timeout it appears that although session cookies (that is, cookies which expire at the end of the user's browser session) are available by setting the session_timeout to 0, the session itself then expires immediately.

    I'll attach a patch which adds session_filter.session_cookie as a flag to set when the cookie should expire at the end of the browser session but session_filter.session_timeout will still effect how long the session data is held.

  2. Log in to comment