[issue17340] Handle malformed cookie
karl added the comment: Yes the new RFC has been written by Adam Barth who wanted to describe things matching the reality of HTTP and servers/browsers issues. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17340 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue17340] Handle malformed cookie
Terry J. Reedy added the comment: I believe our normal policy is to only follow accepted RFCs. But your comment suggests that in this case we should pay attention to the new draft. Do you have any idea why apparently nothing has happened in two years. Do some people oppose it? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17340 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue17340] Handle malformed cookie
Luke Plant added the comment: I'm a core developer on Django, and I've looked into cookies a lot, and also Python's SimpleCookie, and I've found that all accepted RFCs are completely irrelevant for this issue. No accepted RFC was ever widely implemented - instead browsers mainly did something like the original Netscape cookies, with various interpretations. Opera attempted RFC 2965, at least at one point, but no-one else. RFC 6265, whatever its status, is probably the closest thing to a useful document of how cookies should work. But even then, I'm afraid that the main guiding principle has to be sheer pragmatism. Read the source code or bug trackers of any other project that has to handle cookies and you'll find they have all come to that conclusion, unfortunately. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17340 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue17340] Handle malformed cookie
karl added the comment: The current status of RFC6265 is PROPOSED STANDARD http://www.rfc-editor.org/info/rfc6265 Adam Barth is part of the Google Chrome Team. I do not want to talk for Adam. So better ask him, I don't think he has the energy/will to push further through the IETF process. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17340 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue17340] Handle malformed cookie
Terry J. Reedy added the comment: Code behaving as documented is not a bug for tracker purposes. Adding a parameter to allow new behavior is an enhancement for a future release. Who is responsible for the invalid cookie. Pardon my ignorance, but if tornado re-sets the cookie, why cannot it read it the next time? If the existing test suite tests for CookieError for invalid cookies, writing tests for strict=False (return instead of CookieError) would be trivial. -- nosy: +terry.reedy stage: - test needed type: behavior - enhancement versions: +Python 3.4 -Python 2.7 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17340 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue17340] Handle malformed cookie
keakon added the comment: Terry, say that a user's cookie is ,BRIDGE_R=; a=b; right now. When he login, the server sends Set-Cookie: user_id=1; Path=/ header to him. Then his cookie is ,BRIDGE_R=; a=b; user_id=1; now. The next time he sends cookie to the server, Cookie.SimpleCookie.load() tries to parse the cookie, but raises a CookieError. So the server has no way to get his user_id from cookie. It has to let him login again and sends Set-Cookie: user_id=1; Path=/ header infinitely. I cannot clear all cookies because Cookie.SimpleCookie.load() even dosen't let me know the keys in his cookie. -- type: enhancement - behavior versions: +Python 2.7 -Python 3.4 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17340 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue17340] Handle malformed cookie
Terry J. Reedy added the comment: keakon, changing the headers after a developer sets them is insulting, annoying, a waste of my time to change them back again, and a distraction from the issue. -- type: behavior - enhancement versions: +Python 3.4 -Python 2.7 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17340 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue17340] Handle malformed cookie
keakon added the comment: Terry, I think that's the standard process of web applications. 1. The user agent send cookie via HTTP headers to the web server. 2. The web server parse its cookie. If the server fails to find something proves the user has logged in from his cookie, redirect him to the login page. 3. The user agent post login information to the web server. 4. The web server verify the post data. If it's correct, the server send Set-Cookie headers which can be used as a proof in the step 2 to the user agent. After the 4 steps, the user agent should be considered as a logged-in user. However, in the step 2, the server cannot parse his cookie duo to CookieError. It has to redirect the user to the login page and continue the next steps. I don't think there is anything wrong with the process except the strange behavior of Cookie.SimpleCookie.load(). -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17340 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue17340] Handle malformed cookie
karl added the comment: Just a quick note that the new specification for HTTP State Mechanism (aka cookies) is http://tools.ietf.org/html/rfc6265 keakon, Do you know why her cookie was ',BRIDGE_R=;' -- nosy: +karlcow ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17340 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue17340] Handle malformed cookie
keakon added the comment: karl, I don't know the exact reason. BRIDGE_R is a cookie name set by Baidu Bridge. I don't know why there is a comma before it. The Baidu Bridge is an external JavaScript resource. It can do anything like: document.cookie = ,BRIDGE_R=;; I think Baidu Bridge set the wrong cookie by mistake. But we still rely on Baidu Bridge, and we have no way to clear the wrong cookie. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17340 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue17340] Handle malformed cookie
Terry J. Reedy added the comment: Carl, do you know if the (2 year old) draft better reflect actual usage than 2965? Is there much change other than deprecates the use of the Cookie2 and Set-Cookie2 header fields.? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17340 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue17340] Handle malformed cookie
New submission from keakon: One of my user told me that she couldn't login to my website yesterday. I logged her cookie, and found it began with ',BRIDGE_R=;' which was a malformed cookie. Tornado uses Cookie.SimpleCookie.load() to parse her cookie, and returns an empty dict when catching an exception such as CookieError. In that case, Tornado has to treat her as a new user since it believes she didn't provide any cookies. Even after Tornado tried to set cookie (like user_id) for her, it still couldn't parse her cookie the next time. I checked Issue2193 and found the patch provided by spookylukey could fix the bug, but it was rejected. Why not add a default parameter like strict=True, and let users to decide whether to ignore invalid keys or to raise an error? I believe SimpleCookie is useless for handling malformed cookies right now. If it's still not acceptable, should I implement my own Cookie class for Tornado like Django did (https://github.com/django/django/blob/master/django/http/cookie.py)? -- components: Library (Lib) messages: 183367 nosy: georg.brandl, keakon, spookylukey priority: normal severity: normal status: open title: Handle malformed cookie type: behavior versions: Python 2.7 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17340 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com