[issue17340] Handle malformed cookie

2013-03-09 Thread karl

karl added the comment:

Yes the new RFC has been written by Adam Barth who wanted to describe things 
matching the reality of HTTP and servers/browsers issues.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17340
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue17340] Handle malformed cookie

2013-03-09 Thread Terry J. Reedy

Terry J. Reedy added the comment:

I believe our normal policy is to only follow accepted RFCs. But your comment 
suggests that in this case we should pay attention to the new draft. Do you 
have any idea why apparently nothing has happened in two years. Do some people 
oppose it?

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17340
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue17340] Handle malformed cookie

2013-03-09 Thread Luke Plant

Luke Plant added the comment:

I'm a core developer on Django, and I've looked into cookies a lot, and also 
Python's SimpleCookie, and I've found that all accepted RFCs are completely 
irrelevant for this issue.

No accepted RFC was ever widely implemented - instead browsers mainly did 
something like the original Netscape cookies, with various interpretations. 
Opera attempted RFC 2965, at least at one point, but no-one else.

RFC 6265, whatever its status, is probably the closest thing to a useful 
document of how cookies should work. But even then, I'm afraid that the main 
guiding principle has to be sheer pragmatism. Read the source code or bug 
trackers of any other project that has to handle cookies and you'll find they 
have all come to that conclusion, unfortunately.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17340
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue17340] Handle malformed cookie

2013-03-09 Thread karl

karl added the comment:

The current status of RFC6265 is PROPOSED STANDARD 
http://www.rfc-editor.org/info/rfc6265

Adam Barth is part of the Google Chrome Team. I do not want to talk for Adam. 
So better ask him, I don't think he has the energy/will to push further through 
the IETF process.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17340
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue17340] Handle malformed cookie

2013-03-08 Thread Terry J. Reedy

Terry J. Reedy added the comment:

Code behaving as documented is not a bug for tracker purposes.  Adding a 
parameter to allow new behavior is an enhancement for a future release. 

Who is responsible for the invalid cookie. Pardon my ignorance, but if tornado 
re-sets the cookie, why cannot it read it the next time?

If the existing test suite tests for CookieError for invalid cookies, writing 
tests for strict=False (return instead of CookieError) would be trivial.

--
nosy: +terry.reedy
stage:  - test needed
type: behavior - enhancement
versions: +Python 3.4 -Python 2.7

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17340
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue17340] Handle malformed cookie

2013-03-08 Thread keakon

keakon added the comment:

Terry, say that a user's cookie is ,BRIDGE_R=; a=b; right now.
When he login, the server sends Set-Cookie: user_id=1; Path=/ header to him.
Then his cookie is ,BRIDGE_R=; a=b; user_id=1; now.

The next time he sends cookie to the server, Cookie.SimpleCookie.load() tries 
to parse the cookie, but raises a CookieError.
So the server has no way to get his user_id from cookie. It has to let him 
login again and sends Set-Cookie: user_id=1; Path=/ header infinitely.

I cannot clear all cookies because Cookie.SimpleCookie.load() even dosen't let 
me know the keys in his cookie.

--
type: enhancement - behavior
versions: +Python 2.7 -Python 3.4

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17340
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue17340] Handle malformed cookie

2013-03-08 Thread Terry J. Reedy

Terry J. Reedy added the comment:

keakon, changing the headers after a developer sets them is insulting, 
annoying, a waste of my time to change them back again, and a distraction from 
the issue.

--
type: behavior - enhancement
versions: +Python 3.4 -Python 2.7

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17340
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue17340] Handle malformed cookie

2013-03-08 Thread keakon

keakon added the comment:

Terry, I think that's the standard process of web applications.

1. The user agent send cookie via HTTP headers to the web server.
2. The web server parse its cookie. If the server fails to find something 
proves the user has logged in from his cookie, redirect him to the login page.
3. The user agent post login information to the web server.
4. The web server verify the post data. If it's correct, the server send 
Set-Cookie headers which can be used as a proof in the step 2 to the user agent.

After the 4 steps, the user agent should be considered as a logged-in user.
However, in the step 2, the server cannot parse his cookie duo to CookieError. 
It has to redirect the user to the login page and continue the next steps.

I don't think there is anything wrong with the process except the strange 
behavior of Cookie.SimpleCookie.load().

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17340
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue17340] Handle malformed cookie

2013-03-08 Thread karl

karl added the comment:

Just a quick note that the new specification for HTTP State Mechanism (aka 
cookies) is http://tools.ietf.org/html/rfc6265

keakon, Do you know why her cookie was ',BRIDGE_R=;'

--
nosy: +karlcow

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17340
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue17340] Handle malformed cookie

2013-03-08 Thread keakon

keakon added the comment:

karl, I don't know the exact reason.
BRIDGE_R is a cookie name set by Baidu Bridge. I don't know why there is a 
comma before it.

The Baidu Bridge is an external JavaScript resource. It can do anything like: 
document.cookie = ,BRIDGE_R=;;
I think Baidu Bridge set the wrong cookie by mistake. But we still rely on 
Baidu Bridge, and we have no way to clear the wrong cookie.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17340
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue17340] Handle malformed cookie

2013-03-08 Thread Terry J. Reedy

Terry J. Reedy added the comment:

Carl, do you know if the (2 year old) draft better reflect actual usage than 
2965? Is there much change other than deprecates the use of the Cookie2 and 
Set-Cookie2 header fields.?

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17340
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue17340] Handle malformed cookie

2013-03-03 Thread keakon

New submission from keakon:

One of my user told me that she couldn't login to my website yesterday. I 
logged her cookie, and found it began with ',BRIDGE_R=;' which was a malformed 
cookie.
Tornado uses Cookie.SimpleCookie.load() to parse her cookie, and returns an 
empty dict when catching an exception such as CookieError.

In that case, Tornado has to treat her as a new user since it believes she 
didn't provide any cookies.
Even after Tornado tried to set cookie (like user_id) for her, it still 
couldn't parse her cookie the next time.

I checked Issue2193 and found the patch provided by spookylukey could fix the 
bug, but it was rejected.
Why not add a default parameter like strict=True, and let users to decide 
whether to ignore invalid keys or to raise an error?

I believe SimpleCookie is useless for handling malformed cookies right now.
If it's still not acceptable, should I implement my own Cookie class for 
Tornado like Django did 
(https://github.com/django/django/blob/master/django/http/cookie.py)?

--
components: Library (Lib)
messages: 183367
nosy: georg.brandl, keakon, spookylukey
priority: normal
severity: normal
status: open
title: Handle malformed cookie
type: behavior
versions: Python 2.7

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17340
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com