id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 15863 SimpleCookies are not correctly serialized with the file or database cache backends Raphael Kubo da Costa Paul McMillan "As discussed in the [http://article.gmane.org/gmane.comp.python.django.devel/31913 django-developers mailing list], it appears that !SimpleCookies in !HttpResponses are not being correctly serialized when one uses either the file or the database cache backends. The following steps are enough to trigger the incorrect behaviour: 1. Enable !UpdateCacheMiddleware and !FetchFromCacheMiddleware in settings.py, and set CACHE_BACKEND accordingly 1. Enable !SessionMiddleware and !CsrfViewMiddleware 1. Have a view with a simple form and no specific cache decorators. Since the session application is being used, the `Vary: Cookie` header will be added anyway. 1. In the template used by the view, include the `csrf_token` tag, as usual. 1. Access the view, either via curl or a web browser. 1. The first time the view is accessed, the csrf token is both set in the header as a cookie and displayed as a hidden form element, as expected. The header has the format `Set-Cookie: csrftoken=XX; Max-Age: YY; Path=/`. 1. The next times the view is accessed, the cookie header has the format `Set-Cookie: csrftoken=""Set-Cookie: csrftoken=XX Max-Age: YY; Path=/""`, and so has the csrf form element, which causes the submitted form to be invalid when the csrf checks are made. It turns out that `UpdateCacheMiddleware` serializes the returned !HttpResponse in `process_response`, and both the file and the database cache backends use `pickle.dumps` with protocol=pickle.HIGHEST_PROTOCOL. It is known that [http://bugs.python.org/issue826897 SimpleCookies are incompatible with pickle.HIGHEST_PROTOCOL]. !FetchFromCacheMiddleware later retrieves this same !HttpResponse and returns it, however the cookies have invalid values. The attached testcase triggers the problem in the unit tests." Bug closed Core (Cache system) 1.2 Release blocker fixed Raphael Kubo da Costa teolicy Accepted 0 0 1 0 0 0