Ticket Navigation

Ticket #6657 (closed: fixed)

Opened 9 months ago

Last modified 9 months ago

HttpResponse.set_cookie(secure=False) still sets secure cookies

Reported by:	Gulopine	Assigned to:	nobody
Milestone:		Component:	HTTP handling
Version:	SVN	Keywords:
Cc:		Triage Stage:	Ready for checkin
Has patch:	1	Needs documentation:	0
Needs tests:	0	Patch needs improvement:	0

Description

Currently, set_cookie() sets the secure attribute on the outgoing cookie if it's anything other than None, but since the secure attribute on cookies doesn't actually use a value, it gets sent out as secure any time any value is set on the cookie. This means that using secure=False results in a secure cookie. While it's still possible to set a non-secure cookie by simply omitting the secure argument entirely, the current behavior seems counter-intuitive.

>>> from django.http import HttpResponse
>>> response = HttpResponse()
>>> response.set_cookie('a')
>>> response.set_cookie('b', secure=False)
>>> response.set_cookie('c', secure=True)
>>> print response.cookies
Set-Cookie: a=; Path=/
Set-Cookie; b=; Path=/; secure
Set-Cookie; c=; Path=/; secure

Attachments

set_cookie.diff (1.3 kB) - added by Gulopine on 02/24/08 20:07:04.: Changed set_cookie() to take secure=False and to only set it on the cookie if it evaluates to True

Change History

Add/Change #6657 (HttpResponse.set_cookie(secure=False) still sets secure cookies)

Your email or username:

Comment (you may use WikiFormatting here):

Change Properties

Summary:
Milestone:		Component:
Version:		Keywords:
Cc:		Triage Stage:
Has patch:		Needs documentation:
Needs tests:		Patch needs improvement:

Action leave as closed
reopen ticket

Download in other formats:

Code