-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSRF cookie expiration issues #865
Comments
This affects me too: I'm writing an AJAX application, and the only time the XSRF cookie gets set is when the user logs in. But at that point @property
def xsrf_token(self):
token = super().xsrf_token
self.set_cookie( '_xsrf', token, expires_days=30)
return token |
... Or should I be calling |
I think the original idea was that you'd delay the initial creation of the The current system is really designed for traditional HTML forms, and it's not a great fit for modern javascript apps. I'm not sure what the right design for that environment is. The simplest workaround I've used is to make GET requests (periodically and after any failure) just to refresh the xsrf_token. |
This feature is more invasive than using the samesite cookie attribute but does not provide additional protection, so it is no longer something that we should recommend. Now that this feature is deprecated, the open issues related to it will not be fixed (however, I intend to keep the current code around indefinitely; there are no plans to remove it). Closes tornadoweb#865 Closes tornadoweb#2573 Closes tornadoweb#3026
With the introduction of SameSite cookies, Tornado's |
The xsrf cookie is not refreshed gracefully when it expires. Form-based applications will usually be OK since they will request a page with a fresh token before any form submission, but long-lived AJAXy pages can have trouble if a session crosses the 30-day boundary. There should be some way to refresh the token before it expires.
Additionally, the cache expiration of any page that includes xsrf_form_html should not be greater than the remaining time on the xsrf cookie.
Discussion: https://groups.google.com/forum/#!searchin/python-tornado/xsrf/python-tornado/1aN84IYC7h8/cW9-J9JbxcUJ
The text was updated successfully, but these errors were encountered: