Re: [Django] #10554: Response.set_cookie should allow setting two cookies of the same name.

[Django]

#10554: Response.set_cookie should allow setting two cookies of the same name.
-------------------------------+------------------------------------
     Reporter:  Jeremy Dunck   |                    Owner:  nobody
         Type:  New feature    |                   Status:  new
    Component:  HTTP handling  |                  Version:  dev
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Accepted
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+------------------------------------
Comment (by James Beard):

 I believe the concern raised in comment:15 is valid, and that django
 shouldn't allow this.

 Worth noting that RFC clause is being strengthened to MUST NOT in the
 [https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis
 current 6265bis draft 22], and there has been no change to make the
 wording more nuanced than just "cookie-name".

 The spec seems to be differentiating between what servers can safely try
 to achieve in a single interaction, vs what user agents must be able to
 keep track of and manage over a much longer period of time. Two cookies
 with unique name+domain+path should definitely be able to be persisted by
 the UA. However, the spec wants to make clear the server can't expect to
 achieve this within a single response.

 Unfortunately I can't find anything that confirms this is the authors'
 rationale. Trawling through old mailing lists suggests the spirit of the
 spec was to capture desirable behaviours while maximising
 interoperability. Given the wide variety of client implementations out
 there this prohibition might be meant to cater to a lowest common
 denominator.

 All that said I feel if django started doing this today we would be going
 against the advice of the spec. And eventually when 6265bis comes into
 effect be intentionally non-compliant.

 Is the rule of thumb generally that django be strict about what it emits,
 and forgiving in what it accepts?
-- 
Ticket URL: <https://code.djangoproject.com/ticket/10554#comment:20>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019bdb571931-eebe41ea-488c-49c6-bccb-659340b26a23-000000%40eu-central-1.amazonses.com.