HttpResponse.set_cookie(secure=False) still sets secure cookies
Currently, set_cookie() sets the secure attribute on the outgoing cookie if it's anything other than None, but since the secure attribute on cookies doesn't actually use a value, it gets sent out as secure any time any value is set on the cookie. This means that using secure=False results in a secure cookie. While it's still possible to set a non-secure cookie by simply omitting the secure argument entirely, the current behavior seems counter-intuitive.
>>> from django.http import HttpResponse
>>> response = HttpResponse()
>>> response.set_cookie('a')
>>> response.set_cookie('b', secure=False)
>>> response.set_cookie('c', secure=True)
>>> print response.cookies
Set-Cookie: a=; Path=/
Set-Cookie; b=; Path=/; secure
Set-Cookie; c=; Path=/; secure
- set_cookie.diff
(1.3 KB
) - added by Marty Alchin 17 years ago.
- Changed
set_cookie() to take secure=False and to only set it on the cookie if it evaluates to True
Download all attachments as:
.zip
| Triage Stage: |
Unreviewed → Ready for checkin
|
| Resolution: |
→ fixed
|
| Status: |
new → closed
|
| Easy pickings: |
unset
|
| UI/UX: |
unset
|
Changed
set_cookie()to takesecure=Falseand to only set it on the cookie if it evaluates toTrue