Request.set_cookie(expires) requires a UTC datetime but doesn't document this

[dobesv]

Currently Response.set_cookie will accept a datetime instance to specify the time at which the cookie should expire.

However, this datetime instance is expected to be a utc datetime, for example datetime.utcnow() + timedelta(seconds=3600), not a local datetime like datetime.now() + timedelta(seconds=3600).

Also, the provided datetime instance must NOT be timezone-aware or you will get an error. For example passing datetime.utcnow(tz=pytz.utc) + timedelta(seconds=3600).

If callers are not aware of these requirements, their application might fail unexpectedly if the app moves between time zones.

[digitalresistor]

expires on the Response.set_cookie is something I am going to deprecate. Setting a max_age automatically calculates the expiration correctly, and the API that is used to actually make the cookie no longer supports an expiration parameter.

Things that need to get fixed for now:

• If date time is timezone aware, convert it to UTC, without TZ
• Change date time from local to UTC

WebOb 1.9:

• Drop expires from the API entirely.

[digitalresistor]

There is no way to determine if a datetime is a local one or not. It's documented as long accepting a UTC datetime.

At this point, timezone aware datetime's are converted to UTC, and those work correctly now.