How to set the "secure" attribute of a secure cookie

[Debby Mendez]

I don't see an obvious way to set the "; Secure" attribute on a secure cookie written with "set_secure_cookie".  How is this done?

[aliane abdelouahab]

dont get the idea? secure cookie is just a crypted text.

[Russ Weeks]

Nope, http://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly

Debbie, the code for RequestHandler.set_cookie should pass addition keyword arguments into the cookie 'morsel', so

self.set_secure_cookie(...,secure=True)

Should work? I think in this case the value is ignored by Cookie.Morsel.OutputString.  Alternatively it looks like there's a hook to provide your own Cookie implementation by defining a method "_new_cookie" in your RequestHandler.

-Russ

[Russ Weeks]

For instance - and this is a terrible way to unit test tornado and you should never do it :)

>>> from tornado.web import RequestHandler, Application

>>> from tornado.httpserver import HTTPRequest

>>> a=Application(cookie_secret='asdfasdf')

>>> r=HTTPRequest('GET', '/')

>>> rh=RequestHandler(a,r)

>>> rh.set_secure_cookie('name', 'value', secure=True)

>>> rh._new_cookie.output()

'Set-Cookie: name="dmFsdWU=|1350514515|8f94d5dbd7c1dbbd4e19482bb71224dfaf6a99b6"; expires=Fri, 16 Nov 2012 22:55:15 GMT; Path=/; secure'

-Russ

[小松]

define('static_url_prefix')

define('cookie_secret')

define('login_url')

'xsrf_cookies' : options.xsrf_cookies,

and config.conf

cookie_secret = 'somesting'

class Application(tornado.web.Application):

def __init__(self):

settings = {

'template_path' : os.path.join(options.run_path, options.template_path),

'static_path' : os.path.join(options.run_path, options.static_path),

'static_url_prefix' : options.static_url_prefix,

'cookie_secret' : options.cookie_secret,

'login_url' : options.login_url,

'ui_methods' : uimethods,

'debug' : options.debug,

'xsrf_cookies' : options.xsrf_cookies,

}

2012/10/18 Russ Weeks <rwe...@newbrightidea.com>

[Ben Darnell]

On Wed, Oct 17, 2012 at 6:44 PM, Russ Weeks <rwe...@newbrightidea.com> wrote:
> Nope, http://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly
>
> Debbie, the code for RequestHandler.set_cookie should pass addition keyword
> arguments into the cookie 'morsel', so
>
> self.set_secure_cookie(...,secure=True)
>
> Should work? I think in this case the value is ignored by
> Cookie.Morsel.OutputString.

Yes, this works; the secure flag is not ignored by OutputString. You
can also set the httponly flag in the same way (but I think httponly
requires python 2.7+)

> Alternatively it looks like there's a hook to
> provide your own Cookie implementation by defining a method "_new_cookie" in
> your RequestHandler.

That's not a hook - in general methods beginning with underscores in
Tornado are internal implementation details, and subject to change
without warning in future releases. (there are a few underscore
methods that are OK for you to use and override; these are usually
listed in the docs). If you want to do your own cookie handling you
should use add_header to set the Set-Cookie header directly.

-Ben

[Debby Mendez]

Thanks!

[Brendan Berg]

When you call self.set_secure_cookie() in your handler, you can pass secure=True as a keyword argument.

For example:

class ExampleHandler(RequestHandler):
def get(self):
self.set_secure_cookie('cookie_name', 'cookie_value', secure=True)