#12686 closed (fixed)
django.contrib.messages does not reliably predict cookie size due to underlying cookie encoding
Reported by: | Tobias McNulty | Owned by: | Tobias McNulty |
---|---|---|---|
Component: | Contrib apps | Version: | 1.2-alpha |
Severity: | Keywords: | ||
Cc: | Triage Stage: | Accepted | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
As discovered in debugging #12470, django.contrib.messages makes an assumption about the size of encoded cookies that does not stand and may result in lost data as the total size of all stored messages approaches 4096 bytes. From Luke Plant:
CookieStorage assumes that the length of the 'encoded' data (i.e. the return val from CookieStorage._encode()) is the number of bytes that the data takes up in the cookie. But the additional encoding that SimpleCookie does means you actually have less space, depending on the data. The simplest solution I can think of would be to base64 the whole value, as already suggested for other reasons. SimpleCookie would then have no need to change any of it, and the assumption would hold.
While on the subject - I just found out that IE6 and IE7 impose a limit of 4096 bytes *total* for cookies from a domain [1]. With the current max_cookie_size, we leave no room for other cookies, which is bad. Maybe we should reduce to, say 3/4 of 4K.
see http://blogs.neoseeker.com/Redemption/542-browser-cookies-limitations-ie6-ie7-others/
Change History (4)
comment:1 by , 15 years ago
Status: | new → assigned |
---|---|
Triage Stage: | Unreviewed → Accepted |
comment:2 by , 15 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
comment:3 by , 15 years ago
Whoops, didn't see those; thanks. You leave no work for the rest of us. :)
Note:
See TracTickets
for help on using tickets.
I fixed these issues in [12285] and [12287] respectively.
The reduction in max_cookie_size in [12287] also gives us some allowance for constant overhead (but not variable overhead) in cookie data. That is, most browsers include the "NAME=" as part of the cookie data when applying their maximum cookie size limit, and some might included other things like expiration date, so it is good to keep a little bit away from the limit.