Already got token working correctly, which is set this way:
session_cookie = SimpleCookie()
session_cookie['key'] = any_string_value
session_cookie['key']["Path"] = '/'
headers = []
headers.extend(("set-cookie", morsel.OutputString())
for morsel
in session_cookie.values())
start_response(status, headers)
I am also able to read the token and extract the information I need:
# Get cookies
cookies = request.get_cookies()
# Get current token from cookies
token = cookies['token'].value
Now, what would be the best approach to set an expiration to a cookie, I know there is 2 possible keys:
How could I know if a token is expired or what could be the best way to manage expired tokens ?
Thanks a lot!
You can know if a token has expired if the token does not exist when you try to get it.
token = cookies['token'].value #this will not exist
The browser deletes the cookie and everything related to that when the expiration date passes.
This way in many implementations you can even delete cookies or for example log-out a user just but setting the expiration date of the user_id cookie to something in the past( eg a negative number).
Now as I understand you need a policy to detect expired tokens server side and that can be accomplished by double validation. Eg try to store an unique identifier for each token and server side when you read the token try to check if it has expired. It's also possible for the user to manipulate his cookies so never blindly trust cookies to store significant data or make any user_id simple validation.
I hope I helped.
EDIT
From rfc2109
Max-Age=delta-seconds Optional. The Max-Age attribute defines the lifetime of the cookie, in seconds. The delta-seconds value is a decimal non- negative integer. After delta-seconds seconds elapse, the client should discard the cookie. A value of zero means the cookie should be discarded immediately.
And from wiki http cookies
The Expires directive tells the browser when to delete the cookie. Derived from the format used in RFC 1123, the date is specified in the form of “Wdy, DD Mon YYYY HH:MM:SS GMT”,[29] indicating the exact date/time this cookie will expire. As an alternative to setting cookie expiration as an absolute date/time, RFC 6265 allows the use of the Max-Age attribute to set the cookie’s expiration as an interval of seconds in the future, relative to the time the browser received the cookie.
I would recommend to use max-age because saves some trouble from setting dates etc. You just calculate an interval.
Reading a bit more I found that max-age is not supported by IE < 9 and that means that expires is preferred
Max-Age vs Expires
That should help ;-)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With