Opened 17 years ago

Closed 17 years ago

Last modified 5 years ago

#6657 closed (fixed)

HttpResponse.set_cookie(secure=False) still sets secure cookies

Reported by: Marty Alchin Owned by: nobody
Component: HTTP handling Version: dev
Severity: Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Currently, set_cookie() sets the secure attribute on the outgoing cookie if it's anything other than None, but since the secure attribute on cookies doesn't actually use a value, it gets sent out as secure any time any value is set on the cookie. This means that using secure=False results in a secure cookie. While it's still possible to set a non-secure cookie by simply omitting the secure argument entirely, the current behavior seems counter-intuitive.

>>> from django.http import HttpResponse
>>> response = HttpResponse()
>>> response.set_cookie('a')
>>> response.set_cookie('b', secure=False)
>>> response.set_cookie('c', secure=True)
>>> print response.cookies
Set-Cookie: a=; Path=/
Set-Cookie; b=; Path=/; secure
Set-Cookie; c=; Path=/; secure

Attachments (1)

set_cookie.diff (1.3 KB ) - added by Marty Alchin 17 years ago.
Changed set_cookie() to take secure=False and to only set it on the cookie if it evaluates to True

Download all attachments as: .zip

Change History (5)

by Marty Alchin, 17 years ago

Attachment: set_cookie.diff added

Changed set_cookie() to take secure=False and to only set it on the cookie if it evaluates to True

comment:1 by Malcolm Tredinnick, 17 years ago

Triage Stage: UnreviewedReady for checkin

Does more than is necessary, but the rewrite is useful, too. Removing that replace() call just for the benefit of max-age isn't bad and we aren't going to be adding another 10 parameters here anytime soon, so the scaling of all the if-blocks isn't an issue.

comment:2 by Gary Wilson, 17 years ago

Resolution: fixed
Status: newclosed

(In [7204]) Fixed #6657 -- Don't set secure attribute on cookie if secure=False is passed, thanks Gulopine.

comment:3 by Mariusz Felisiak <felisiak.mariusz@…>, 5 years ago

Easy pickings: unset
UI/UX: unset

In 15c5875:

Refs #6657 -- Corrected HttpResponse.set_cookie()/set_signed_cookie() signatures in docs.

comment:4 by Mariusz Felisiak <felisiak.mariusz@…>, 5 years ago

In 3ab7de01:

[3.0.x] Refs #6657 -- Corrected HttpResponse.set_cookie()/set_signed_cookie() signatures in docs.

Backport of 15c5875e693cc972c996a921560624c355ab8fdd from master

Note: See TracTickets for help on using tickets.
Back to Top