1

Django: Cookie set to expire in 30 seconds is actually expiring in 30 minutes? does

hr = HttpResponse('ok')
hr.set_cookie('user_id', user_id, max_age=30)

while https://stackoverflow.com/a/25179642/433570 does

request.session[user_id] = True

And both says we are setting cookie.

What's the difference between the two?
Can I set the expiration with the request.session method?

Community
  • 1
  • 1
eugene
  • 39,839
  • 68
  • 255
  • 489

1 Answers1

1

In short, cookies are intended to be stored in client side while sessions are stored in server-side (unless you're using cookie based session).

Users can clear http cookies from their browsers but they can't do anything about the sessions on your server. Clearing sessions is up you and your settings. There are some django settings you can use to determine their age like SESSION_COOKIE_AGE. For http cookies it's possible to set attributes like max_age, expires.

Choosing which one to use depends on your requirements; are you going to store sensitive data, is permanence important etc.

References:

Tiny Instance
  • 2,351
  • 17
  • 21
  • Thank you, one question though, Even though user can't edit sessions on my server, he can delete the session key which points to the server session data in his browser cookie? Is that correct? – eugene Aug 19 '16 at 02:33
  • 1
    Yes, user can still clear browser cookies, but can't manipulate the values if they are stored in server side session. – Tiny Instance Aug 19 '16 at 02:37