grnet / djnro

DjNRO hits the decks of eduroam database management
http://djnro.grnet.gr/
Other
10 stars 22 forks source link

Restrict validity of session and CSRF cookies #103

Closed vladimir-mencl-eresearch closed 3 months ago

vladimir-mencl-eresearch commented 3 months ago

By default, session cookies last for 2 weeks and CSRF cookies for 1 year:

https://docs.djangoproject.com/en/1.11/ref/settings/#session-cookie-age https://docs.djangoproject.com/en/1.11/ref/settings/#csrf-cookie-age

Restrict session and CSRF cookie lifetime to 1 hour (but let session auto-extend while there's activity)

James-REANNZ commented 3 months ago

Looks good to me. Django's reasoning for the default makes some sense, but no browser is going to cache a page for an entire year.