Fix documentation/cookie handling in response.set_cookie()#172
Fix documentation/cookie handling in response.set_cookie()#172digitalresistor wants to merge 27 commits into
Conversation
|
This additionally fixes: #129 |
|
I'm definitely +1 on utilizing |
|
@mmerickel Seems I made a mistake when looking at the code, ASCII is correct, high-order bytes are NOT allowed in cookies. So Technically we should restrict the allowed characters even further to the allowed set as set in RFC6265: So that WebOb does not allow the creation of cookies that fall outside of that spec. |
There was a problem hiding this comment.
Fixed. Squashed.
|
+1, LGTM This is a nice cleanup of the cookie apis. |
There was a problem hiding this comment.
Can you say a few words about what RFC6265 allows here so folks don't need to look up the spec, and say under what circumstances a warning will be issued?
There was a problem hiding this comment.
We should also push out this code in the form of an alpha release, if only to let people try it and tell us "hey I was successfully using WebOb to store cookies with high-order names/values and you broke me!"
There was a problem hiding this comment.
Currently the API will just issue a RuntimeWarning, which hopefully means we don't break anyone, but give everyone time to update their code.
I will update this file with your suggestions for what RFC6265 allows, and I am all for doing an alpha release/beta release to make sure I didn't break anything... at least too terribly ;-)
|
This all looks reasonable to me; did confirm that the interpretation of RFC6265 that Bert had is more or less correct. As I mentioned above we should push this out in some sort of "major alpha" to see if it hurts anyone. |
|
Information has been added about the cookie-octet allowed characters in docs/news.txt. Thank you both for reviewing this :-) |
The documentation for expires incorrectly states that expires can be a timedelta, let's add a test for that.
The documentation erroneously states that that expires can be a datetime.timedelta, this is incorrect, but since it has been documented as such, we should continue accepting it. Add the fact that it can be a datetime.datetime, and probably should be.
Start using the make_cookie call that is available in webob.cookies, this way we don't duplicate the same behavior. There are a couple of backwards compatible fixes: - If expires is set to a timedelta, and max_age is not set, we set max_age to expires a timedelta - expires can also be a datetime, however this was not documented. So if it is a datetime, we want to get a timedelta, by taking the existing expires value, and removing datetime.utcnow() from the value.
We need to document that max_age can be an integer, timedelta or None, and what that means. max_age takes precedence over an expires argument.
Unicode values in cookies are invalid.
The previous standard was the JSON serializer, however with upcoming changes that limit what characters are allowed in cookies, bare JSON no longer worked because it could return values that are invalid to be stored in cookies.
WebOb will now raise a ValueError if an attempt is made to set the cookie to an invalid value. According to RFC6265 a cookie-octet has a specific subset of allowed ASCII characters, and that subset does not change whether the value is DQUOT'ed or not. WebOb will still accept all other cookies, it just won't be able to create them.
We want to make sure we have at least one test for CookieProfile that fetches a cookie from our request object, and then verifies it returns the appropriate answer.
Someday we can get rid of this mess and just be strict about what we send, but until such a day we want to warn people that it is going to happen in the future.
This makes the warning more noticeable to people and will be less likely to be ignored.
Sets up the cookies._should_raise using a module setup/teardown functions instead of setting it at module scope per suggestions from Michael Merickel.
We want to provide people an easy to find resource on what is now going to be valid in a WebOb cookie.
|
Superseded by #188 |
3 participants
This updates
response.set_cookie()with proper documentation, and refactors it so that it useswebob.cookies.make_cookie()instead of it's own implementation, code-reuse for the win!However, this does break backwards compatibility because we no longer allow unicode cookie values, these were technically contra-spec in the first place, and may not have been accepted by all browsers.
We also change from
keytonamebecause cookies have names.This fixes #166 and #171.