#6657 closed (fixed)
HttpResponse.set_cookie(secure=False) still sets secure cookies
| Reported by: | Marty Alchin | Owned by: | nobody |
|---|---|---|---|
| Component: | HTTP handling | Version: | dev |
| Severity: | Keywords: | ||
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Currently, set_cookie() sets the secure attribute on the outgoing cookie if it's anything other than None, but since the secure attribute on cookies doesn't actually use a value, it gets sent out as secure any time any value is set on the cookie. This means that using secure=False results in a secure cookie. While it's still possible to set a non-secure cookie by simply omitting the secure argument entirely, the current behavior seems counter-intuitive.
>>> from django.http import HttpResponse >>> response = HttpResponse() >>> response.set_cookie('a') >>> response.set_cookie('b', secure=False) >>> response.set_cookie('c', secure=True) >>> print response.cookies Set-Cookie: a=; Path=/ Set-Cookie; b=; Path=/; secure Set-Cookie; c=; Path=/; secure
Attachments (1)
Change History (5)
by , 17 years ago
| Attachment: | set_cookie.diff added |
|---|
comment:1 by , 17 years ago
| Triage Stage: | Unreviewed → Ready for checkin |
|---|
Does more than is necessary, but the rewrite is useful, too. Removing that replace() call just for the benefit of max-age isn't bad and we aren't going to be adding another 10 parameters here anytime soon, so the scaling of all the if-blocks isn't an issue.
comment:2 by , 17 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Changed
set_cookie()to takesecure=Falseand to only set it on the cookie if it evaluates toTrue