From: Bruno P. Kinoshita <kinow@users.noreply.github.com>
Date: Wed, 31 Oct 2018 09:38:45 +0000 (+1300)
Subject: Use kwargs for expires_days, and remove default of 30 days
X-Git-Tag: v6.0.0b1~17^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=80c5357bdbdf06422dbfb3ed3f18f8abde66707f;p=thirdparty%2Ftornado.git

Use kwargs for expires_days, and remove default of 30 days
---

diff --git a/tornado/test/web_test.py b/tornado/test/web_test.py
index be38a9984..a6f5d1bd0 100644
--- a/tornado/test/web_test.py
+++ b/tornado/test/web_test.py
@@ -2902,11 +2902,23 @@ class XSRFCookieKwargsTest(SimpleHandlerTestCase):
             self.write(self.xsrf_token)
 
     def get_app_kwargs(self):
-        return dict(xsrf_cookies=True, xsrf_cookie_kwargs=dict(httponly=True))
+        return dict(
+            xsrf_cookies=True, xsrf_cookie_kwargs=dict(httponly=True, expires_days=2)
+        )
 
     def test_xsrf_httponly(self):
         response = self.fetch("/")
         self.assertIn("httponly;", response.headers["Set-Cookie"].lower())
+        self.assertIn("expires=", response.headers["Set-Cookie"].lower())
+        header = response.headers.get("Set-Cookie")
+        match = re.match(".*; expires=(?P<expires>.+);.*", header)
+        assert match is not None
+
+        expires = datetime.datetime.utcnow() + datetime.timedelta(days=2)
+        parsed = email.utils.parsedate(match.groupdict()["expires"])
+        assert parsed is not None
+        header_expires = datetime.datetime(*parsed[:6])
+        self.assertTrue(abs((expires - header_expires).total_seconds()) < 10)
 
 
 class FinishExceptionTest(SimpleHandlerTestCase):
diff --git a/tornado/web.py b/tornado/web.py
index 263f429bd..1f4a16982 100644
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -1418,13 +1418,9 @@ class RequestHandler(object):
             else:
                 raise ValueError("unknown xsrf cookie version %d", output_version)
             if version is None:
-                expires_days = 30 if self.current_user else None
-                self.set_cookie(
-                    "_xsrf",
-                    self._xsrf_token,
-                    expires_days=expires_days,
-                    **cookie_kwargs
-                )
+                if self.current_user and "expires_days" not in cookie_kwargs:
+                    cookie_kwargs["expires_days"] = 30
+                self.set_cookie("_xsrf", self._xsrf_token, **cookie_kwargs)
         return self._xsrf_token
 
     def _get_raw_xsrf_token(self) -> Tuple[Optional[int], bytes, float]: