XSRF cookie expiration issues #865
Comments
|
This affects me too: I'm writing an AJAX application, and the only time the XSRF cookie gets set is when the user logs in. But at that point @property
def xsrf_token(self):
token = super().xsrf_token
self.set_cookie( '_xsrf', token, expires_days=30)
return token |
|
... Or should I be calling |
|
I think the original idea was that you'd delay the initial creation of the The current system is really designed for traditional HTML forms, and it's not a great fit for modern javascript apps. I'm not sure what the right design for that environment is. The simplest workaround I've used is to make GET requests (periodically and after any failure) just to refresh the xsrf_token. |
This feature is more invasive than using the samesite cookie attribute but does not provide additional protection, so it is no longer something that we should recommend. Now that this feature is deprecated, the open issues related to it will not be fixed (however, I intend to keep the current code around indefinitely; there are no plans to remove it). Closes tornadoweb#865 Closes tornadoweb#2573 Closes tornadoweb#3026
|
With the introduction of SameSite cookies, Tornado's |
The xsrf cookie is not refreshed gracefully when it expires. Form-based applications will usually be OK since they will request a page with a fresh token before any form submission, but long-lived AJAXy pages can have trouble if a session crosses the 30-day boundary. There should be some way to refresh the token before it expires.
Additionally, the cache expiration of any page that includes xsrf_form_html should not be greater than the remaining time on the xsrf cookie.
Discussion: https://groups.google.com/forum/#!searchin/python-tornado/xsrf/python-tornado/1aN84IYC7h8/cW9-J9JbxcUJ
The text was updated successfully, but these errors were encountered: