Opened 2 years ago

Closed 10 months ago

#20755 closed Bug (wontfix)

Certain cookie flags don't get unpickled properly

Reported by: julien Owned by: julien
Component: HTTP handling Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


I've noticed that some cookie flags (at least httponly and secure) do not properly get unpickled. This is an issue particularly for FetchFromCacheMiddleware when it unpickles a cached response object.

So far I've narrowed down the issue to this snippet of code:

import pickle
from django.http import HttpResponse

original = HttpResponse()
original.set_cookie('foo', 'bar', path='/blah', httponly=True, secure=True)

pickled = pickle.dumps(original, pickle.HIGHEST_PROTOCOL)
reloaded = pickle.loads(pickled)

# httponly and secure get lost in the pickle loading process!!
original.cookies['foo']['httponly']   # True
reloaded.cookies['foo']['httponly']   # ''

original.cookies['foo']['secure']     # True
reloaded.cookies['foo']['secure']     # ''

str(original.cookies)                 # 'Set-Cookie: foo=bar; httponly; Path=/blah; secure'
str(reloaded.cookies)                 # 'Set-Cookie: foo=bar; Path=/blah'

At this stage I'm unsure if it's a bug in Django or in Python. For the record, I've tested this with Python 2.7.5.

Change History (2)

comment:1 Changed 2 years ago by julien

  • Owner changed from nobody to julien
  • Status changed from new to assigned
  • Triage Stage changed from Unreviewed to Accepted

After discussing with Collin Anderson, we found that this is in fact a bug in Python. The HTTPOnly and Secure flags aren't properly deserialized:

One work-around in Django would be to replace the empty strings '' with True.

I'll see if we can get this fixed in Python first before settling on a given work-around.

comment:2 Changed 10 months ago by timgraham

  • Component changed from Core (Serialization) to HTTP handling
  • Resolution set to wontfix
  • Status changed from assigned to closed

This has been fixed in Python 2.7.9, 3.3.3, and 3.4. Not sure it's worth adding a workaround in Django at this point.

Note: See TracTickets for help on using tickets.
Back to Top