Manage token life duration with SimpleCookie in Python

Question

Already got token working correctly, which is set this way:

session_cookie = SimpleCookie()
session_cookie['key'] = any_string_value
session_cookie['key']["Path"] = '/'

headers = []
headers.extend(("set-cookie", morsel.OutputString())
    for morsel
    in session_cookie.values())

start_response(status, headers)

I am also able to read the token and extract the information I need:

# Get cookies
cookies = request.get_cookies()
#     Get current token from cookies
token   = cookies['token'].value

Now, what would be the best approach to set an expiration to a cookie, I know there is 2 possible keys:

1. session_cookie['key']['max-age'] = "time in secods"
2. session_cookie['key']['expiration'] = "a date in the future"

How could I know if a token is expired or what could be the best way to manage expired tokens ?

Thanks a lot!

Answer 1

You can know if a token has expired if the token does not exist when you try to get it.

token   = cookies['token'].value #this will not exist

The browser deletes the cookie and everything related to that when the expiration date passes.

This way in many implementations you can even delete cookies or for example log-out a user just but setting the expiration date of the user_id cookie to something in the past( eg a negative number).

Now as I understand you need a policy to detect expired tokens server side and that can be accomplished by double validation. Eg try to store an unique identifier for each token and server side when you read the token try to check if it has expired. It's also possible for the user to manipulate his cookies so never blindly trust cookies to store significant data or make any user_id simple validation.

I hope I helped.

EDIT

From rfc2109

Max-Age=delta-seconds Optional. The Max-Age attribute defines the lifetime of the cookie, in seconds. The delta-seconds value is a decimal non- negative integer. After delta-seconds seconds elapse, the client should discard the cookie. A value of zero means the cookie should be discarded immediately.

And from wiki http cookies

The Expires directive tells the browser when to delete the cookie. Derived from the format used in RFC 1123, the date is specified in the form of “Wdy, DD Mon YYYY HH:MM:SS GMT”,[29] indicating the exact date/time this cookie will expire. As an alternative to setting cookie expiration as an absolute date/time, RFC 6265 allows the use of the Max-Age attribute to set the cookie’s expiration as an interval of seconds in the future, relative to the time the browser received the cookie.

I would recommend to use max-age because saves some trouble from setting dates etc. You just calculate an interval.

Reading a bit more I found that max-age is not supported by IE < 9 and that means that expires is preferred

Max-Age vs Expires

That should help ;-)