Re: [Django] #10554: Response.set_cookie should allow setting two cookies of the same name.
Django
-------------------------------+------------------------------------
Reporter: jdunck | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
Changes (by aaugustin):
* owner: ccahoon => nobody
* version: 1.0 => master
--
Ticket URL: <https://code.djangoproject.com/ticket/10554#comment:8>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
-------------------------------+------------------------------------
Reporter: jdunck | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
Comment (by unaizalakain):
Would a MorselKey class implementing the aforementioned methods in
django.http.cookie be right? If so, I'll submit a patch.
--
Ticket URL: <https://code.djangoproject.com/ticket/10554#comment:9>
Django
-------------------------------+------------------------------------
Reporter: jdunck | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
Comment (by jdunck):
I believe so, yes. Jacob accepted this ticket; there's been no debate on
my suggested fix. I am now a core committer and feel this is a decent way
to fix the problem.
I would point out that in the years since I wrote these notes, the
versions of both django and supported python versions have changed - it's
possible there's a better way now, though I don't have time to dig into it
at the moment.
Thanks for your interest. :)
--
Ticket URL: <https://code.djangoproject.com/ticket/10554#comment:10>
Django
-------------------------------+------------------------------------
Reporter: jdunck | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
Comment (by unaizalakain):
I have been fooling around with this little fix and one problem arises
from the proposed solution: While the custom hash method prevents dict
collisions, it also prevents from checking if some cookie already exists
(as done by many contrib apps).
--
Ticket URL: <https://code.djangoproject.com/ticket/10554#comment:11>
Django
-------------------------------+------------------------------------
Reporter: jdunck | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
Comment (by unaizalakain):
While a possible workaround could be to redefine SimpleCookie's method to
check if some cookie exists, some structural issues would rise. What
should we do if there're two cookies with the same name and
SimpleCookie.get('cookie') is called?
MorselKey's could be used to grab cookies from cookies dict but a lot of
external code would change.
--
Ticket URL: <https://code.djangoproject.com/ticket/10554#comment:12>
Django
-------------------------------+------------------------------------
Reporter: jdunck | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
Comment (by unaizalakain):
Related:
- http://bugs.python.org/issue7504
- http://bugs.python.org/issue1372650
- http://bugs.python.org/issue1375011
--
Ticket URL: <https://code.djangoproject.com/ticket/10554#comment:13>
Django
-------------------------------+------------------------------------
Reporter: jdunck | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
Comment (by stavros):
We are currently getting a bug when a user has two sessionid cookies with
different domains. The user then is completely unable to log in, getting
redirected back to the homepage. It is related to this issue, but I'm not
sure whether I should file a new ticket or not. I would suggest that, if
the sessionid is expired, the cookies are deleted, but I'm not sure if
it's actually expired or not. Login works, the user gets redirected to the
root, and then the root sees that the user isn't authenticated and sends
them back to login for ever. The user can only get out of this if they
clear their cookies, which is a very significant bug.
--
Ticket URL: <https://code.djangoproject.com/ticket/10554#comment:14>
Django
-------------------------------+------------------------------------
Reporter: jdunck | Owner: nobody
Type: New feature | Status: new
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
Comment (by collinanderson):
The latest https://tools.ietf.org/html/rfc6265 says we should not do this,
which makes me think it's not worth it. Is there a real-world problem that
this would actually solve?
{{{
Servers SHOULD NOT include more than one Set-Cookie header field in
the same response with the same cookie-name.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/10554#comment:15>
Django
-------------------------------+------------------------------------
Reporter: jdunck | Owner: nobody
Component: HTTP handling | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
* status: new => closed
* resolution: => wontfix
Comment:
Feel free to reopen if you think Django really needs this ability.
--
Ticket URL: <https://code.djangoproject.com/ticket/10554#comment:16>
Django
-------------------------------+------------------------------------
Severity: Normal | Resolution:
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
* resolution: wontfix =>
* status: closed => new
Comment:
This is some serious bug necromancy, but hear me out.
My CDN supports presigned URLs and presigned cookies. Presigned URLs
negate client-side caching. Their presigned cookie implementation forbids
specifying more than one approved asset per cookie.
This forces me to include multiple of these presigned cookies for my CDN's
domain, with identical names, but paths for each asset, and to rely on the
browser to use cookies' paths to identify which version of the cookie to
send along with the request to the CDN.
Definitely an edge case, but worth bringing up as I can't find an escape
hatch to force Django to otherwise include cookies with the same name and
domain, but different paths.
--
Ticket URL: <https://code.djangoproject.com/ticket/10554#comment:17>
Django
Type: New feature | Status: new
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Claude Paroz):
* stage: Accepted => Unreviewed
--
Ticket URL: <https://code.djangoproject.com/ticket/10554#comment:18>
Django
-------------------------------+------------------------------------
Type: New feature | Status: new
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
* stage: Unreviewed => Accepted
Comment:
With the concern from raised from RFC6265 as to whether we should do this,
from what I read here:
https://datatracker.ietf.org/doc/html/rfc6265#section-5.3
> If the cookie store contains a cookie with the same name, domain, and
path as the newly created cookie... [instructions on how to replace]
I see no issue in two cookie's with the same name and uniqueness should be
determined by the combination of name, domain and path.
Based off how previously it was suggested this will be re-accepted
providing there is a real world use-case, re-accepting.
--
Ticket URL: <https://code.djangoproject.com/ticket/10554#comment:19>