Message 230241 - Python tracker

Message230241

Author	Tim.Graham
Recipients	Tim.Graham, berker.peksag, georg.brandl, pitrou, r.david.murray
Date	2014-10-29.20:19:28
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1414613968.69.0.250979041696.issue22758@psf.upfronthosting.co.za>
In-reply-to

Content
Thank-you Georg; I believe I was able to fix some of the failures by patching Django as you suggested. However, I think I found another issue due to #16611 (support for httponly/secure cookies) not being backported to Python 3.2. The issue is that any cookies that appear after one that uses httponly or secure are dropped: >>> from http.cookies import SimpleCookie >>> c = SimpleCookie() >>> c['a'] = 'b' >>> c['a']['httponly'] = True >>> c['d'] = 'e' >>> out = c.output(header='', sep='; ') >>> SimpleCookie(out) <SimpleCookie: a='b'> Here's another example using the 'domain' option to show the same flow from above working as expected: >>> c = SimpleCookie() >>> c['a'] = 'b' >>> c['a']['domain'] = 'foo.com' >>> c['d'] = 'e' >>> out = c.output(header='', sep='; ') >>> SimpleCookie(out) <SimpleCookie: a='b' d='e'> It seems to me this may warrant backporting httponly/secure support to Python 3.2 now that cookie parsing is more strict (unless Django is again relying on incorrect behavior).

Content

Thank-you Georg; I believe I was able to fix some of the failures by patching Django as you suggested.

However, I think I found another issue due to #16611 (support for httponly/secure cookies) not being backported to Python 3.2. The issue is that any cookies that appear after one that uses httponly or secure are dropped:

>>> from http.cookies import SimpleCookie
>>> c = SimpleCookie()
>>> c['a'] = 'b'
>>> c['a']['httponly'] = True
>>> c['d'] = 'e'
>>> out = c.output(header='', sep='; ')
>>> SimpleCookie(out)
<SimpleCookie: a='b'>

Here's another example using the 'domain' option to show the same flow from above working as expected:

>>> c = SimpleCookie()
>>> c['a'] = 'b'
>>> c['a']['domain'] = 'foo.com'
>>> c['d'] = 'e'
>>> out = c.output(header='', sep='; ')
>>> SimpleCookie(out)
<SimpleCookie: a='b' d='e'>

It seems to me this may warrant backporting httponly/secure support to Python 3.2 now that cookie parsing is more strict (unless Django is again relying on incorrect behavior).

History
Date	User	Action	Args
2014-10-29 20:19:28	Tim.Graham	set	recipients: + Tim.Graham, georg.brandl, pitrou, r.david.murray, berker.peksag
2014-10-29 20:19:28	Tim.Graham	set	messageid: <1414613968.69.0.250979041696.issue22758@psf.upfronthosting.co.za>
2014-10-29 20:19:28	Tim.Graham	link	issue22758 messages
2014-10-29 20:19:28	Tim.Graham	create