Code

Opened 6 years ago

Closed 6 years ago

#6657 closed (fixed)

HttpResponse.set_cookie(secure=False) still sets secure cookies

Reported by: Gulopine Owned by: nobody
Component: HTTP handling Version: master
Severity: Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

Currently, set_cookie() sets the secure attribute on the outgoing cookie if it's anything other than None, but since the secure attribute on cookies doesn't actually use a value, it gets sent out as secure any time any value is set on the cookie. This means that using secure=False results in a secure cookie. While it's still possible to set a non-secure cookie by simply omitting the secure argument entirely, the current behavior seems counter-intuitive.

>>> from django.http import HttpResponse
>>> response = HttpResponse()
>>> response.set_cookie('a')
>>> response.set_cookie('b', secure=False)
>>> response.set_cookie('c', secure=True)
>>> print response.cookies
Set-Cookie: a=; Path=/
Set-Cookie; b=; Path=/; secure
Set-Cookie; c=; Path=/; secure

Attachments (1)

set_cookie.diff (1.3 KB) - added by Gulopine 6 years ago.
Changed set_cookie() to take secure=False and to only set it on the cookie if it evaluates to True

Download all attachments as: .zip

Change History (3)

Changed 6 years ago by Gulopine

Changed set_cookie() to take secure=False and to only set it on the cookie if it evaluates to True

comment:1 Changed 6 years ago by mtredinnick

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Ready for checkin

Does more than is necessary, but the rewrite is useful, too. Removing that replace() call just for the benefit of max-age isn't bad and we aren't going to be adding another 10 parameters here anytime soon, so the scaling of all the if-blocks isn't an issue.

comment:2 Changed 6 years ago by gwilson

  • Resolution set to fixed
  • Status changed from new to closed

(In [7204]) Fixed #6657 -- Don't set secure attribute on cookie if secure=False is passed, thanks Gulopine.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.