Make Cookies in Django follow the RFC correctly

[Fernando Karchiloff]

Currently the implementation of Cookies doesn't follow the RFC 6265 correctly, especially the Path part that seems to be ignored. That was already an attempt here: https://github.com/django/django/pull/15019, but @collinanderson closed it for discussion first. Can we improve it

Reference:

1. https://www.rfc-editor.org/rfc/rfc6265#section-5.1.4
2. https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent

[Adam Johnson]

On the ticket associated with that PR ( https://code.djangoproject.com/ticket/33212 ), there was a lot of discussion, ending with Mariusz saying:

As far as I'm aware both propositions (PR15015 and PR15019) are backward incompatible, so they are against out stability policy, unless it's not a security issue (which is not the case, IMO). We can make a breaking changes but we need a strong reason to do that. I'm concerned that changing the current behavior may actually make things worse in some cases. It seems to me that we need a broader discussion on this.

To continue the discussion I think we’ll need to hear about such a *strong reason* to break compatibility, or a path forward that is not backwards incompatible.

Thanks,

Adam

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/59cb0e52-69df-4e92-8046-2fd0be86fb9cn%40googlegroups.com.

[Fernando Karchiloff]

I've taken some time to read all the discussion again, imagine some scenarios, and read the comment that Collin made at it's own PR at GitHub here.

Most of them would need to break compatibility, and now I agree that there is not reason to do so. But I still think we can improve it somehow, and remain compatible.

Collin mentions using MultiValueDict instead of a simple dict. That way we can at least retrieve all cookies from the same name, and still maintain it's default behavior.