Fix documentation/cookie handling in response.set_cookie() #172
However, this does break backwards compatibility because we no longer allow unicode cookie values, these were technically contra-spec in the first place, and may not have been accepted by all browsers.
We also change from
@mmerickel Seems I made a mistake when looking at the code, ASCII is correct, high-order bytes are NOT allowed in cookies. So
Technically we should restrict the allowed characters even further to the allowed set as set in RFC6265:
So that WebOb does not allow the creation of cookies that fall outside of that spec.
The documentation erroneously states that that expires can be a datetime.timedelta, this is incorrect, but since it has been documented as such, we should continue accepting it. Add the fact that it can be a datetime.datetime, and probably should be.
Start using the make_cookie call that is available in webob.cookies, this way we don't duplicate the same behavior. There are a couple of backwards compatible fixes: - If expires is set to a timedelta, and max_age is not set, we set max_age to expires a timedelta - expires can also be a datetime, however this was not documented. So if it is a datetime, we want to get a timedelta, by taking the existing expires value, and removing datetime.utcnow() from the value.
We need to document that max_age can be an integer, timedelta or None, and what that means. max_age takes precedence over an expires argument.
The previous standard was the JSON serializer, however with upcoming changes that limit what characters are allowed in cookies, bare JSON no longer worked because it could return values that are invalid to be stored in cookies.
WebOb will now raise a ValueError if an attempt is made to set the cookie to an invalid value. According to RFC6265 a cookie-octet has a specific subset of allowed ASCII characters, and that subset does not change whether the value is DQUOT'ed or not. WebOb will still accept all other cookies, it just won't be able to create them.
Someday we can get rid of this mess and just be strict about what we send, but until such a day we want to warn people that it is going to happen in the future.