Opened 12 years ago

Closed 12 years ago

#6657 closed (fixed)

HttpResponse.set_cookie(secure=False) still sets secure cookies

Reported by: Marty Alchin Owned by: nobody
Component: HTTP handling Version: master
Severity: Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


Currently, set_cookie() sets the secure attribute on the outgoing cookie if it's anything other than None, but since the secure attribute on cookies doesn't actually use a value, it gets sent out as secure any time any value is set on the cookie. This means that using secure=False results in a secure cookie. While it's still possible to set a non-secure cookie by simply omitting the secure argument entirely, the current behavior seems counter-intuitive.

>>> from django.http import HttpResponse
>>> response = HttpResponse()
>>> response.set_cookie('a')
>>> response.set_cookie('b', secure=False)
>>> response.set_cookie('c', secure=True)
>>> print response.cookies
Set-Cookie: a=; Path=/
Set-Cookie; b=; Path=/; secure
Set-Cookie; c=; Path=/; secure

Attachments (1)

set_cookie.diff (1.3 KB) - added by Marty Alchin 12 years ago.
Changed set_cookie() to take secure=False and to only set it on the cookie if it evaluates to True

Download all attachments as: .zip

Change History (3)

Changed 12 years ago by Marty Alchin

Attachment: set_cookie.diff added

Changed set_cookie() to take secure=False and to only set it on the cookie if it evaluates to True

comment:1 Changed 12 years ago by Malcolm Tredinnick

Triage Stage: UnreviewedReady for checkin

Does more than is necessary, but the rewrite is useful, too. Removing that replace() call just for the benefit of max-age isn't bad and we aren't going to be adding another 10 parameters here anytime soon, so the scaling of all the if-blocks isn't an issue.

comment:2 Changed 12 years ago by Gary Wilson

Resolution: fixed
Status: newclosed

(In [7204]) Fixed #6657 -- Don't set secure attribute on cookie if secure=False is passed, thanks Gulopine.

Note: See TracTickets for help on using tickets.
Back to Top