The results of a recent penetration test brought up the issue of the use of persistent cookies, specifically the CSRF cookie which has an expiry date one year in the future.
The rationale given was that since the cookie is stored on the hard drive then it is theoretically possible to get hold of it between a user's sessions. The question is, does the csrf cookie really need to be persistent at all? I can't see that setting an expiry adds to the security model. If it was made non-persistent then the only difference is that the cookie would be re generated for each new browser session, which means it would be generated more often than if the cookie was persistent, but is this an issue? Perhaps I'm missing something, but I'd be interested to learn the reasons why it was implemented with a persistent cookie. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-developers/-/N4a1LKzUIYoJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
