This legacy issue tracker remains available to allow us to reference old issues. If you find a ticket here which is still relevant, please feel free to continue the discussion. For new issues, please use SourceHut.
request.session is a new, fresh object for each request, even of the same user/session. Because it is created from the contents of the sent cookie. So the extra .max_age will only be set on the session straight on the login action. So yes, it will affect the cookie that is set at login.
But if the cookie is modified later on by modifying the session, then there wont be any max_age and the cookie will be sent as a session cookie. I don't know, what browsers do, when cookies change from having an expire time to not having one.
If you want to test: Do anything that creates a message at the top. For example post an empty comment.
So the max_age should possibly be put in the session itself, so that it can be used later on again?