Opened 11 years ago
Closed 10 years ago
#20755 closed Bug (wontfix)
Certain cookie flags don't get unpickled properly
Reported by: | Julien Phalip | Owned by: | Julien Phalip |
---|---|---|---|
Component: | HTTP handling | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
I've noticed that some cookie flags (at least httponly
and secure
) do not properly get unpickled. This is an issue particularly for FetchFromCacheMiddleware
when it unpickles a cached response object.
So far I've narrowed down the issue to this snippet of code:
import pickle from django.http import HttpResponse original = HttpResponse() original.set_cookie('foo', 'bar', path='/blah', httponly=True, secure=True) pickled = pickle.dumps(original, pickle.HIGHEST_PROTOCOL) reloaded = pickle.loads(pickled) # httponly and secure get lost in the pickle loading process!! original.cookies['foo']['httponly'] # True reloaded.cookies['foo']['httponly'] # '' original.cookies['foo']['secure'] # True reloaded.cookies['foo']['secure'] # '' str(original.cookies) # 'Set-Cookie: foo=bar; httponly; Path=/blah; secure' str(reloaded.cookies) # 'Set-Cookie: foo=bar; Path=/blah'
At this stage I'm unsure if it's a bug in Django or in Python. For the record, I've tested this with Python 2.7.5.
Change History (2)
comment:1 by , 11 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
Triage Stage: | Unreviewed → Accepted |
comment:2 by , 10 years ago
Component: | Core (Serialization) → HTTP handling |
---|---|
Resolution: | → wontfix |
Status: | assigned → closed |
This has been fixed in Python 2.7.9, 3.3.3, and 3.4. Not sure it's worth adding a workaround in Django at this point.
After discussing with Collin Anderson, we found that this is in fact a bug in Python. The HTTPOnly and Secure flags aren't properly deserialized: http://bugs.python.org/issue16611
One work-around in Django would be to replace the empty strings
''
withTrue
.I'll see if we can get this fixed in Python first before settling on a given work-around.