[bug] Default MaxAge never applies

Question

[bug] Default MaxAge never applies

betawaffle opened this issue 5 years ago · comments

Describe the bug

Ever since #38, the default MaxAge of 12 hours has not applied, because the check ignores zero.

For us, the current behavior is fine, we actually want session lifetime, but the documentation should be updated, or the default should apply when there is no explicit option given. Perhaps a good idea would be to move the defaulting into parseOptions instead?

Versions

We found this behavior in v1.6.0, but the bug was introduced in #38.

Steps to Reproduce

Use csrf.Protect without specifying the MaxAge option.

Expected behavior

The Max-Age property on the cookie should be whatever the documentation says the default will be.

Andrew Hodges · Answer 1 · Tue Aug 13 2019 02:11:47 GMT+0800 (China Standard Time)

Sorry, I meant it was introduced in #39.

Matt Silverlock · Answer 2 · Thu Aug 15 2019 22:37:30 GMT+0800 (China Standard Time)

Good catch. Are you explicitly setting 0 in your application? e.g. would this fix, if you pulled a fixed version, break your session cookies?

…

On Mon, Aug 12, 2019 at 11:11 AM Andrew Hodges ***@***.***> wrote: Sorry, I meant it was introduced in #39 <#39>. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#119?email_source=notifications&email_token=AAAEQ4HQOYHCFLQWG6QJFF3QEGRWHA5CNFSM4ILDSY72YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4DLXMA#issuecomment-520534960>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAAEQ4BTYLC2VVPJ27K2MC3QEGRWHANCNFSM4ILDSY7Q> .

Andrew Hodges · Answer 3 · Thu Aug 15 2019 23:02:46 GMT+0800 (China Standard Time)

We are now. We weren't before, and I have no idea what other people are doing. I suspect, based on what we did, that people who didn't specify it assumed the docs were correct, and that the default of 12 hours was in place.

Matt Silverlock · Answer 4 · Mon Aug 26 2019 08:47:07 GMT+0800 (China Standard Time)

See https://github.com/gorilla/csrf/releases/tag/v1.6.1