Opened 15 years ago

Closed 15 years ago

Last modified 13 years ago

#12686 closed (fixed)

django.contrib.messages does not reliably predict cookie size due to underlying cookie encoding

Reported by: Tobias McNulty Owned by: Tobias McNulty
Component: Contrib apps Version: 1.2-alpha
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


As discovered in debugging #12470, django.contrib.messages makes an assumption about the size of encoded cookies that does not stand and may result in lost data as the total size of all stored messages approaches 4096 bytes. From Luke Plant:

CookieStorage assumes that the length of the 'encoded' data (i.e. the
return val from CookieStorage._encode()) is the number of bytes that
the data takes up in the cookie.  But the additional encoding that
SimpleCookie does means you actually have less space, depending on the

The simplest solution I can think of would be to base64 the whole
value, as already suggested for other reasons.  SimpleCookie would
then have no need to change any of it, and the assumption would hold.
While on the subject - I just found out that IE6 and IE7 impose a
limit of 4096 bytes *total* for cookies from a domain [1].  With the
current max_cookie_size, we leave no room for other cookies, which is
bad.  Maybe we should reduce to, say 3/4 of 4K.


Change History (4)

comment:1 by Tobias McNulty, 15 years ago

Status: newassigned
Triage Stage: UnreviewedAccepted

comment:2 by Luke Plant, 15 years ago

Resolution: fixed
Status: assignedclosed

I fixed these issues in [12285] and [12287] respectively.

The reduction in max_cookie_size in [12287] also gives us some allowance for constant overhead (but not variable overhead) in cookie data. That is, most browsers include the "NAME=" as part of the cookie data when applying their maximum cookie size limit, and some might included other things like expiration date, so it is good to keep a little bit away from the limit.

comment:3 by Tobias McNulty, 15 years ago

Whoops, didn't see those; thanks. You leave no work for the rest of us. :)

comment:4 by Jacob, 13 years ago

milestone: 1.2

Milestone 1.2 deleted

Note: See TracTickets for help on using tickets.
Back to Top