id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 26158 cookie parsing fails with python 3.x if request contains unnamed cookie Andreas Dolk Tim Graham "Example: {{{#!python from http import cookies good_cookie = 'csrftoken=5lkzK7FCI2iWy2xi7wbZPI7P26qbspIE; django_language=en' print(cookies.parse_cookie(good_cookie)) bad_cookie = 'csrftoken=5lkzK7FCI2iWy2xi7wbZPI7P26qbspIE; unnamed; django_language=en' print(cookies.parse_cookie(bad_cookie)) }}} Output: {{{ {'csrftoken': '5lkzK7FCI2iWy2xi7wbZPI7P26qbspIE', 'django_language': 'en'} {} }}} This parsing method is used during processing WSGI requests (see: django.core.handlers.wsgi.py) If a request contains at least one nameless cookie, then the parser result is an empty dictionary. The nameless cookie may be present in the client (browser) and this cause at least two serious problems for django: * django will not see the session cookie (user is asked to login again) * csrf validation fails with an error message (csrf cookie not set - because the middleware doesn't see it) It worked, btw., with python 2.7. Remark: Nameless cookies shouldn't happen - but in our case there's a different web application on the parent domain that sometimes sets a nameless cookie. Even though that this is a bug, it makes our django app quite unusable due to the cookie parsing and we'd have to ask the users to constantly delete the cookies on their browsers (or avoid the other app). Those cookies are evil but we have to expect them in real life :/" Bug closed HTTP handling 1.8 Normal fixed cookie python3 will@… zachborboa@… Ready for checkin 1 0 0 0 0 0