Loading django/conf/global_settings.py +1 −0 Original line number Diff line number Diff line Loading @@ -558,6 +558,7 @@ CSRF_FAILURE_VIEW = 'django.views.csrf.csrf_failure' # Settings for CSRF cookie. CSRF_COOKIE_NAME = 'csrftoken' CSRF_COOKIE_AGE = 60 * 60 * 24 * 7 * 52 CSRF_COOKIE_DOMAIN = None CSRF_COOKIE_PATH = '/' CSRF_COOKIE_SECURE = False Loading django/middleware/csrf.py +1 −1 Original line number Diff line number Diff line Loading @@ -196,7 +196,7 @@ class CsrfViewMiddleware(object): # the expiry timer. response.set_cookie(settings.CSRF_COOKIE_NAME, request.META["CSRF_COOKIE"], max_age=60 * 60 * 24 * 7 * 52, max_age=settings.CSRF_COOKIE_AGE, domain=settings.CSRF_COOKIE_DOMAIN, path=settings.CSRF_COOKIE_PATH, secure=settings.CSRF_COOKIE_SECURE, Loading docs/ref/contrib/csrf.txt +1 −0 Original line number Diff line number Diff line Loading @@ -491,6 +491,7 @@ Settings A number of settings can be used to control Django's CSRF behavior: * :setting:`CSRF_COOKIE_AGE` * :setting:`CSRF_COOKIE_DOMAIN` * :setting:`CSRF_COOKIE_HTTPONLY` * :setting:`CSRF_COOKIE_NAME` Loading docs/ref/settings.txt +22 −0 Original line number Diff line number Diff line Loading @@ -324,6 +324,28 @@ See :doc:`/topics/cache`. .. _settings-csrf: .. setting:: CSRF_COOKIE_AGE CSRF_COOKIE_AGE --------------- .. versionadded:: 1.7 Default: ``31449600`` (1 year, in seconds) The age of CSRF cookies, in seconds. The reason for setting a long-lived expiration time is to avoid problems in the case of a user closing a browser or bookmarking a page and then loading that page from a browser cache. Without persistent cookies, the form submission would fail in this case. Some browsers (specifically Internet Explorer) can disallow the use of persistent cookies or can have the indexes to the cookie jar corrupted on disk, thereby causing CSRF protection checks to fail (and sometimes intermittently). Change this setting to ``None`` to use session-based CSRF cookies, which keep the cookies in-memory instead of on persistent storage. .. setting:: CSRF_COOKIE_DOMAIN CSRF_COOKIE_DOMAIN Loading docs/releases/1.7.txt +6 −0 Original line number Diff line number Diff line Loading @@ -446,6 +446,12 @@ Cache "non-expiring" by default. Previously, it was only possible to pass ``timeout=None` to the cache backend's ``set()`` method. Cross Site Request Forgery ^^^^^^^^^^^^^^^^^^^^^^^^^^ * The :setting:`CSRF_COOKIE_AGE` setting facilitates the use of session-based CSRF cookies. Email ^^^^^ Loading Loading
django/conf/global_settings.py +1 −0 Original line number Diff line number Diff line Loading @@ -558,6 +558,7 @@ CSRF_FAILURE_VIEW = 'django.views.csrf.csrf_failure' # Settings for CSRF cookie. CSRF_COOKIE_NAME = 'csrftoken' CSRF_COOKIE_AGE = 60 * 60 * 24 * 7 * 52 CSRF_COOKIE_DOMAIN = None CSRF_COOKIE_PATH = '/' CSRF_COOKIE_SECURE = False Loading
django/middleware/csrf.py +1 −1 Original line number Diff line number Diff line Loading @@ -196,7 +196,7 @@ class CsrfViewMiddleware(object): # the expiry timer. response.set_cookie(settings.CSRF_COOKIE_NAME, request.META["CSRF_COOKIE"], max_age=60 * 60 * 24 * 7 * 52, max_age=settings.CSRF_COOKIE_AGE, domain=settings.CSRF_COOKIE_DOMAIN, path=settings.CSRF_COOKIE_PATH, secure=settings.CSRF_COOKIE_SECURE, Loading
docs/ref/contrib/csrf.txt +1 −0 Original line number Diff line number Diff line Loading @@ -491,6 +491,7 @@ Settings A number of settings can be used to control Django's CSRF behavior: * :setting:`CSRF_COOKIE_AGE` * :setting:`CSRF_COOKIE_DOMAIN` * :setting:`CSRF_COOKIE_HTTPONLY` * :setting:`CSRF_COOKIE_NAME` Loading
docs/ref/settings.txt +22 −0 Original line number Diff line number Diff line Loading @@ -324,6 +324,28 @@ See :doc:`/topics/cache`. .. _settings-csrf: .. setting:: CSRF_COOKIE_AGE CSRF_COOKIE_AGE --------------- .. versionadded:: 1.7 Default: ``31449600`` (1 year, in seconds) The age of CSRF cookies, in seconds. The reason for setting a long-lived expiration time is to avoid problems in the case of a user closing a browser or bookmarking a page and then loading that page from a browser cache. Without persistent cookies, the form submission would fail in this case. Some browsers (specifically Internet Explorer) can disallow the use of persistent cookies or can have the indexes to the cookie jar corrupted on disk, thereby causing CSRF protection checks to fail (and sometimes intermittently). Change this setting to ``None`` to use session-based CSRF cookies, which keep the cookies in-memory instead of on persistent storage. .. setting:: CSRF_COOKIE_DOMAIN CSRF_COOKIE_DOMAIN Loading
docs/releases/1.7.txt +6 −0 Original line number Diff line number Diff line Loading @@ -446,6 +446,12 @@ Cache "non-expiring" by default. Previously, it was only possible to pass ``timeout=None` to the cache backend's ``set()`` method. Cross Site Request Forgery ^^^^^^^^^^^^^^^^^^^^^^^^^^ * The :setting:`CSRF_COOKIE_AGE` setting facilitates the use of session-based CSRF cookies. Email ^^^^^ Loading
