karl added the comment:
Yes the new RFC has been written by Adam Barth who wanted to describe things
matching the reality of HTTP and servers/browsers issues.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue17340
Terry J. Reedy added the comment:
I believe our normal policy is to only follow accepted RFCs. But your comment
suggests that in this case we should pay attention to the new draft. Do you
have any idea why apparently nothing has happened in two years. Do some people
oppose it?
--
Luke Plant added the comment:
I'm a core developer on Django, and I've looked into cookies a lot, and also
Python's SimpleCookie, and I've found that all accepted RFCs are completely
irrelevant for this issue.
No accepted RFC was ever widely implemented - instead browsers mainly did
karl added the comment:
The current status of RFC6265 is PROPOSED STANDARD
http://www.rfc-editor.org/info/rfc6265
Adam Barth is part of the Google Chrome Team. I do not want to talk for Adam.
So better ask him, I don't think he has the energy/will to push further through
the IETF process.
Terry J. Reedy added the comment:
Code behaving as documented is not a bug for tracker purposes. Adding a
parameter to allow new behavior is an enhancement for a future release.
Who is responsible for the invalid cookie. Pardon my ignorance, but if tornado
re-sets the cookie, why cannot it
keakon added the comment:
Terry, say that a user's cookie is ,BRIDGE_R=; a=b; right now.
When he login, the server sends Set-Cookie: user_id=1; Path=/ header to him.
Then his cookie is ,BRIDGE_R=; a=b; user_id=1; now.
The next time he sends cookie to the server, Cookie.SimpleCookie.load() tries
Terry J. Reedy added the comment:
keakon, changing the headers after a developer sets them is insulting,
annoying, a waste of my time to change them back again, and a distraction from
the issue.
--
type: behavior - enhancement
versions: +Python 3.4 -Python 2.7
keakon added the comment:
Terry, I think that's the standard process of web applications.
1. The user agent send cookie via HTTP headers to the web server.
2. The web server parse its cookie. If the server fails to find something
proves the user has logged in from his cookie, redirect him to
karl added the comment:
Just a quick note that the new specification for HTTP State Mechanism (aka
cookies) is http://tools.ietf.org/html/rfc6265
keakon, Do you know why her cookie was ',BRIDGE_R=;'
--
nosy: +karlcow
___
Python tracker
keakon added the comment:
karl, I don't know the exact reason.
BRIDGE_R is a cookie name set by Baidu Bridge. I don't know why there is a
comma before it.
The Baidu Bridge is an external JavaScript resource. It can do anything like:
document.cookie = ,BRIDGE_R=;;
I think Baidu Bridge set the
Terry J. Reedy added the comment:
Carl, do you know if the (2 year old) draft better reflect actual usage than
2965? Is there much change other than deprecates the use of the Cookie2 and
Set-Cookie2 header fields.?
--
___
Python tracker
New submission from keakon:
One of my user told me that she couldn't login to my website yesterday. I
logged her cookie, and found it began with ',BRIDGE_R=;' which was a malformed
cookie.
Tornado uses Cookie.SimpleCookie.load() to parse her cookie, and returns an
empty dict when catching an
12 matches
Mail list logo