#6657 closed (fixed)
HttpResponse.set_cookie(secure=False) still sets secure cookies
Reported by: | Marty Alchin | Owned by: | nobody |
---|---|---|---|
Component: | HTTP handling | Version: | dev |
Severity: | Keywords: | ||
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Currently, set_cookie()
sets the secure
attribute on the outgoing cookie if it's anything other than None
, but since the secure
attribute on cookies doesn't actually use a value, it gets sent out as secure any time any value is set on the cookie. This means that using secure=False
results in a secure cookie. While it's still possible to set a non-secure cookie by simply omitting the secure
argument entirely, the current behavior seems counter-intuitive.
>>> from django.http import HttpResponse >>> response = HttpResponse() >>> response.set_cookie('a') >>> response.set_cookie('b', secure=False) >>> response.set_cookie('c', secure=True) >>> print response.cookies Set-Cookie: a=; Path=/ Set-Cookie; b=; Path=/; secure Set-Cookie; c=; Path=/; secure
Attachments (1)
Change History (5)
by , 17 years ago
Attachment: | set_cookie.diff added |
---|
comment:1 by , 17 years ago
Triage Stage: | Unreviewed → Ready for checkin |
---|
Does more than is necessary, but the rewrite is useful, too. Removing that replace()
call just for the benefit of max-age isn't bad and we aren't going to be adding another 10 parameters here anytime soon, so the scaling of all the if-blocks isn't an issue.
comment:2 by , 17 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Changed
set_cookie()
to takesecure=False
and to only set it on the cookie if it evaluates toTrue