Bug in BaseCookie load can result in cookies not being set

[Mark Hughes]

A bug with the Python cookie library means that cookies with square brackets (and all subsequent cookies) are ignored.

​http://bugs.python.org/issue22931

As far as I can tell this effects 2.7.9 and 3.4+

In our case some users had a s_vi cookie which appears to come from Adobe Site Catalyst. As this cookie contains square brackets, the Django sessionid which appeared later in the cookie string was being ignored and the user was unable to login.

Here's a simple test case.

>>> from django.http.cookie import SimpleCookie
>>> dd = SimpleCookie()
>>> dd.load('a=b; c=[; d=r')
>>> dd.output()
'Set-Cookie: a=b'

Should we try and code around this in http/cookie.py where other standard library issues are handled?

[Tim Graham]

Since we only officially support the latest micro release for each Python series, I doubt it's worth trying to address this in Django itself. A fix in Django isn't likely to be backported and by the time Django 1.9 is released, I'd hope it'se fixed upstream in Python. We debated removing the existing workarounds in django.http.cookie but decided to keep them since they don't present a maintenance overhead at this time.

[Tim Graham]

Reopening and assigning to myself to coordinate a fix in Django if Python does not backport the fix from ​​http://bugs.python.org/issue22931.

[Tim Graham]

The Python fix has been applied to the 2.7, 3.2, 3.3, and 3.4 branches.