New submission from Raphael Slinckx <>:

If you look at line 132 in

ticket = auth_tkt.AuthTicket([...])
new_cookie_value = ticket.cookie_value()
return self._get_cookies(environ, new_cookie_value)

The value of the cookie is computed using paste's auth tkt mechanism, but then
is passed as-is to _get_cookies, which in turn does the following:

('Set-Cookie', '%s=%s; Path=/' % (self.cookie_name, value))

Now, if the cookie value contains any illegal chars such as 'space', then the
cookie will be worthless. It should then be quoted. 

Paste uses python's Simplecookie to generate the set-cookie header, which
handles all the quoting logic so that if the cookie value is 'foo bar' it will
use key="foo bar" and if the key is 'foobar' it will use key=foobar.

The space issue happens whenever an userid is a user_name with a space char in
it since the user name is appended to the digest as is...

messages: 141
nosy: rslinckx
priority: bug
status: unread
title: repoze.who auth_tkt is broken when using string userid containing spaces

Repoze Bugs <>
Repoze-dev mailing list

Reply via email to