Opened 5 years ago

Closed 5 years ago

Last modified 3 years ago

#12686 closed (fixed)

django.contrib.messages does not reliably predict cookie size due to underlying cookie encoding

Reported by: tobias Owned by: tobias
Component: Contrib apps Version: 1.2-alpha
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

As discovered in debugging #12470, django.contrib.messages makes an assumption about the size of encoded cookies that does not stand and may result in lost data as the total size of all stored messages approaches 4096 bytes. From Luke Plant:

CookieStorage assumes that the length of the 'encoded' data (i.e. the
return val from CookieStorage._encode()) is the number of bytes that
the data takes up in the cookie.  But the additional encoding that
SimpleCookie does means you actually have less space, depending on the
data.

The simplest solution I can think of would be to base64 the whole
value, as already suggested for other reasons.  SimpleCookie would
then have no need to change any of it, and the assumption would hold.
While on the subject - I just found out that IE6 and IE7 impose a
limit of 4096 bytes *total* for cookies from a domain [1].  With the
current max_cookie_size, we leave no room for other cookies, which is
bad.  Maybe we should reduce to, say 3/4 of 4K.

see http://blogs.neoseeker.com/Redemption/542-browser-cookies-limitations-ie6-ie7-others/

Change History (4)

comment:1 Changed 5 years ago by tobias

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Status changed from new to assigned
  • Triage Stage changed from Unreviewed to Accepted

comment:2 Changed 5 years ago by lukeplant

  • Resolution set to fixed
  • Status changed from assigned to closed

I fixed these issues in [12285] and [12287] respectively.

The reduction in max_cookie_size in [12287] also gives us some allowance for constant overhead (but not variable overhead) in cookie data. That is, most browsers include the "NAME=" as part of the cookie data when applying their maximum cookie size limit, and some might included other things like expiration date, so it is good to keep a little bit away from the limit.

comment:3 Changed 5 years ago by tobias

Whoops, didn't see those; thanks. You leave no work for the rest of us. :)

comment:4 Changed 3 years ago by jacob

  • milestone 1.2 deleted

Milestone 1.2 deleted

Note: See TracTickets for help on using tickets.
Back to Top