Set CSRF_COOKIE_AGE to 'None'.

This causes them to be sent as session cookies, not 1-year cookies.
2026-01-15 03:40:42 -03:30 · 2017-01-12 16:25:56 -05:00 · 2017-01-12 16:25:56 -05:00 · ef27d771fb
commit ef27d771fb
parent b1f3cd48c1
1 changed files with 4 additions and 0 deletions
--- a/awx/settings/defaults.py
+++ b/awx/settings/defaults.py
@ -169,6 +169,10 @@ SESSION_COOKIE_SECURE = True
 # Disallow sending csrf cookies over insecure connections
 CSRF_COOKIE_SECURE = True

+# Limit CSRF cookies to browser sessions
+CSRF_COOKIE_AGE = None
+
+
 TEMPLATE_CONTEXT_PROCESSORS = (  # NOQA
    'django.contrib.auth.context_processors.auth',
    'django.core.context_processors.debug',