From f3bf6c4218404479f7841e0af213d5db65913278 Mon Sep 17 00:00:00 2001 From: Luke Plant Date: Fri, 4 Mar 2022 13:05:07 +0000 Subject: [PATCH] Refs #33562 -- Made HttpResponse.set_cookie() raise ValueError when both "expires" and "max_age" are passed. This fixes the case where you might pass set_cookie(expires=val, max_age=val) and max_age is silently ignored. --- django/http/response.py | 2 ++ tests/responses/test_cookie.py | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/django/http/response.py b/django/http/response.py index 59120c8e0d3..801a0c0640e 100644 --- a/django/http/response.py +++ b/django/http/response.py @@ -244,6 +244,8 @@ class HttpResponseBase: delta = delta + datetime.timedelta(seconds=1) # Just set max_age - the max_age logic will set expires. expires = None + if max_age is not None: + raise ValueError("'expires' and 'max_age' can't be used together.") max_age = max(0, delta.days * 86400 + delta.seconds) else: self.cookies[key]["expires"] = expires diff --git a/tests/responses/test_cookie.py b/tests/responses/test_cookie.py index 3a57dcfe45c..b6610cbaaba 100644 --- a/tests/responses/test_cookie.py +++ b/tests/responses/test_cookie.py @@ -76,6 +76,14 @@ class SetCookieTests(SimpleTestCase): response.set_cookie("max_age", max_age=timedelta(hours=1)) self.assertEqual(response.cookies["max_age"]["max-age"], 3600) + def test_max_age_with_expires(self): + response = HttpResponse() + msg = "'expires' and 'max_age' can't be used together." + with self.assertRaisesMessage(ValueError, msg): + response.set_cookie( + "max_age", expires=datetime(2000, 1, 1), max_age=timedelta(hours=1) + ) + def test_httponly_cookie(self): response = HttpResponse() response.set_cookie("example", httponly=True)