id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
26914	Invalid characters in cookie name breaks csrf checking	Cheng Guo	nobody	"If a cookie name contains either [ or ] and this cookie is placed before the csrftoken cookie in the http request header, it will prevent the csrftoken from loading and result in a `CSRF cookie not set` error.

For example, on any login page with csrf enabled, create a cookie in the browser like the following and submit the form:


{{{
key: [
val: whatever
}}}


If this cookie is placed before the csrftoken cookie in the Cookie field of the http request header, then django will return 403 with the `CSRF cookie not set` error. [https://github.com/django/django/blob/master/django/middleware/csrf.py#L27 Here is a link to the source code]

This bug does not seem to be related to [http://bugs.python.org/issue22931 Python 2.7.x's cookie bug] or [https://code.djangoproject.com/ticket/24280 this bug]. These previous reports state that square brackets cannot be presented in the **value** of the cookie. Python's cookie library will drop everything after the square brackets **silently**

In this bug, Python 2.7.10 does throw a `Illegal key value` error:


{{{
import Cookie

c = Cookie.SimpleCookie()
c['['] = 'test'  # CookieError: Illegal key value: [
}}}

So my guess is that this error wasn't being dealt correctly in Django. So whichever function passed the request object into [https://github.com/django/django/blob/master/django/middleware/csrf.py#L168 this function] isn't parsing the cookies correctly.
"	Bug	closed	HTTP handling	1.9	Normal	duplicate	csrf, cookie		Unreviewed	0	0	0	0	0	0