#35340: Why does Django add 1 second to the lifetime of a cookie?
-----------------------------------------+-------------------------
Reporter: john-psina | Owner: nobody
Type: Uncategorized | Status: new
Component: HTTP handling | Version: 5.0
Severity: Normal | Keywords: cookies
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+-------------------------
I'm trying to implement JWT authentication using django-graphql-jwt on the
backend, and nuxt3 for the frontend. My token and refresh_token are stored
in cookies, and I wrapped the GraphQLView in a jwt_cookie decorator that
automatically checks for the existence of the jwt token in the cookie, as
well as its validity.
In general, everything works great. When I send an authorization request,
the backend returns me the "Set-Cookie" headers for JWT and
JWT_REFRESH_TOKEN with an expiration date that automatically deletes them
as soon as they become invalid, which saves me a lot of code/logic on the
frontend.
However, there is one very unpleasant thing - Django adds 1 second to the
cookie lifetime for some reason in the set_cookie function, and it ruins
everything. Here is the Django code:
{{{
def set_cookie(
self,
key,
value="",
max_age=None,
expires=None,
path="/",
domain=None,
secure=False,
httponly=False,
samesite=None,
):
self.cookies[key] = value
if expires is not None:
if isinstance(expires, datetime.datetime):
if timezone.is_naive(expires):
expires = timezone.make_aware(expires,
datetime.timezone.utc)
delta = expires -
datetime.datetime.now(tz=datetime.timezone.utc)
# Add one second so the date matches exactly (a fraction
of
# time gets lost between converting to a timedelta and
# then the date string).
# Here's what I mean ↓↓↓
delta += datetime.timedelta(seconds=1)
# Just set max_age - the max_age logic will set expires.
expires = None
if max_age is not None:
raise ValueError("'expires' and 'max_age' can't be
used together.")
max_age = max(0, delta.days * 86400 + delta.seconds)
else:
self.cookies[key]["expires"] = expires
else:
...
}}}
I see the comment from Django, but I still don't understand what it means.
This may not be a critical issue, but I just can't understand why they did
it. The result of this behavior is that within 1 second after the token
has expired, it is still in the user's cookies, and that doesn't seem
right to me.
I can fix this problem by subtracting 1 second when creating cookies, but
I would like to avoid unpredictable errors that may arise due to this
innovation.
I would appreciate your answers and explanations :)
--
Ticket URL: <https://code.djangoproject.com/ticket/35340>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018e8565d723-f183b1d6-85a6-4eb0-aad1-c61688f97554-000000%40eu-central-1.amazonses.com.
