Opened 17 years ago
Closed 17 years ago
#5816 closed (fixed)
Cookie 'expires' date is modified by locale
Reported by: | Michael Lemaire | Owned by: | nobody |
---|---|---|---|
Component: | HTTP handling | Version: | dev |
Severity: | Keywords: | ||
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
When you set the locale to something other than english (I do this in my views.py)
the cookie sent by the server with the 'sessionid' has an expire date written with this locale,
which makes the cookie rejected by some browsers (like Safari for instance).
I do this at the top of my views.py (after django imports):
locale.setlocale(locale.LC_ALL,'fr_FR.utf8')
And the cookie sent in HTTP headers is:
Set-Cookie: sessionid=fdb004842a4142ac821ed522a78d54cd; expires=jeu, 08-nov-2007 12:30:48 GMT; Max-Age=1209600; Path=/
Most browsers seems to tolerate this, but not Safari.
Attachments (3)
Change History (13)
comment:1 by , 17 years ago
by , 17 years ago
comment:2 by , 17 years ago
Triage Stage: | Unreviewed → Accepted |
---|---|
Version: | 0.96 → SVN |
comment:3 by , 17 years ago
Has patch: | set |
---|
by , 17 years ago
Attachment: | http_dates.diff added |
---|
comment:4 by , 17 years ago
Triage Stage: | Accepted → Ready for checkin |
---|
Good catch, Karen. This did cross my mind when I was updating my session middleware patch but I dismissed it.
My patch adds the following methods to django.utils.http
(and refactors code which use them):
cookie_date
-- which formats the date to be compatible with the Netscape format
http_date
-- which formats the date to be compatible with HTTP
Note that the previous format we were using for a backwards compatible cookie date was actually incorrect, the spec says it should be DD-Mon-YY
, not DD-Mon-YYYY
.
comment:5 by , 17 years ago
Oh, it also replaces the reference to the rfc822
module (deprecated since 2.3) replacing with email.Utils
comment:6 by , 17 years ago
And sorry, thanks Michael for the report (creds for the initial patch though, Karen ;))
comment:7 by , 17 years ago
Patch needs improvement: | set |
---|---|
Triage Stage: | Ready for checkin → Accepted |
The problem with specs is that there are so many to choose from. RFC 2109 (not 2019 mentioned in the comments) was poorly accepted in practice and everybody implemented the original Netscape spec, which had four digit years to be compliant with, e.g., RFC 822. So our original code was correct in this respect. Cookies are the most inconsistently specified thing, even for browsers, which a history of poor specification. We only need one date formatting function here.
comment:8 by , 17 years ago
I'm guilty of combining patches again here. This ticket only needs cookie_date
...but while I was at it I thought I'd tidy up the HTTP date references too (the formatdate(...)[:26] + 'GMT'
code everywhere seems a bit silly) so that's what http_date
is for: HTTP headers. We could just use email.Utils.formatdate(usegmt=True)
but that only came in in 2.4 so it seemed tidier to abstract it to our own util method.
Re the original Netscape spec - fair enough, I'll fix that.
by , 17 years ago
Attachment: | http_dates.2.diff added |
---|
comment:9 by , 17 years ago
Patch needs improvement: | unset |
---|---|
Triage Stage: | Accepted → Ready for checkin |
Restore old date formatting code