On Sep 25, 1:57 pm, Marty Alchin <[email protected]> wrote:
> I wish there was
> a way to sign the expiration as well, so people couldn't artificially
> extend the life of the cookie, but since that doesn't come back in the
> request, there'd be no way to validate it.
We can do that by baking the timestamp the cookie was set in to the
signed cookie value, than doing our own check against that and
discarding the cookie if it's expired. This pattern (signatures that
expire) is common enough that I think it would be worth supporting in
the low level django.utils.signed module - I've used timestamped
signatures for things like "recover your account" links that expire 24
hours after being requested.
The API would look something like this:
>>> s = signed.sign('value', timestamp=True)
>>> v = signed.unsign(s, expire_after=24 * 60 * 60)
A SignatureExpired exception would be raised if the signature was
older than the expire_after argument (SignatureExpired would subclass
BadSignature)
Cheers,
Simon
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en
-~----------~----~----~----~------~----~------~--~---
