[New-bugs-announce] [issue17340] Handle malformed cookie
keakon
report at bugs.python.org
Sun Mar 3 12:10:33 CET 2013
New submission from keakon:
One of my user told me that she couldn't login to my website yesterday. I logged her cookie, and found it began with ',BRIDGE_R=;' which was a malformed cookie.
Tornado uses Cookie.SimpleCookie.load() to parse her cookie, and returns an empty dict when catching an exception such as CookieError.
In that case, Tornado has to treat her as a new user since it believes she didn't provide any cookies.
Even after Tornado tried to set cookie (like user_id) for her, it still couldn't parse her cookie the next time.
I checked Issue2193 and found the patch provided by spookylukey could fix the bug, but it was rejected.
Why not add a default parameter like strict=True, and let users to decide whether to ignore invalid keys or to raise an error?
I believe SimpleCookie is useless for handling malformed cookies right now.
If it's still not acceptable, should I implement my own Cookie class for Tornado like Django did (https://github.com/django/django/blob/master/django/http/cookie.py)?
----------
components: Library (Lib)
messages: 183367
nosy: georg.brandl, keakon, spookylukey
priority: normal
severity: normal
status: open
title: Handle malformed cookie
type: behavior
versions: Python 2.7
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue17340>
_______________________________________
More information about the New-bugs-announce
mailing list