Cookies with quotes

[acordiner]

This change permits cookie values to be quoted and contain equal signs, e.g.:

_cookie_session="hello=world"

[coveralls]

Coverage remained the same at 100.0% when pulling 88eadc4 on acordiner:cookies-with-quotes into fb323b8 on TracyWebTech:master.

[acordiner]

Any chance to get this merged?

[seocam]

Thanks @acordiner, that's really interesting!

I was checking the complete cookies specs and looks like we are missing a bunch of stuff: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Directives

[acordiner]

There is actually a built-in Python library for handling cookies: https://docs.python.org/2/library/cookie.html
It takes care of these sort of decoding issues.

[seocam]

Looks like for some reason that the http.cookies library doesn't work for every cookie. Take a look in this example:

This code:

from http.cookies import Cookie

cookie = "_cookie_session=1266bb13c139cfba3ed1c9c68110bae9;" \
         "expires=Thu, 29 Jan 2015 13:51:41 -0000; httponly;" \
         "secure;Path=/gitlab"

dict(Cookie(cookie).values()[0])

Outputs:

{'comment': '',
 'domain': '',
 'expires': 'Thu,',
 'httponly': True,
 'max-age': '',
 'path': '/gitlab',
 'secure': True,
 'version': ''}

While using cookie_from_string:

from revproxy.utils import cookie_from_string
cookie_from_string(cookie)

Outputs:

{'expires': 'Thu, 29 Jan 2015 13:51:41 -0000',
 'httponly': True,
 'key': '_cookie_session',
 'path': '/gitlab',
 'secure': True,
 'value': '1266bb13c139cfba3ed1c9c68110bae9'}

[acordiner]

I believe that the "expires" attribute must always end with "GMT" to comply with the RFC. If you change -0000 to GMT in your cookie string then it should work. I've pushed another change to my pull request that uses the http.cookies library. What do you think?

[seocam]

@acordiner the cookie in the test came from a real life example. Unfortunately even if the RFC says it needs to end with GMT if the browsers accept the -0000 and some web applications actually generate the cookie this way your change will break compatibility for current users of django-revproxy.

I understand that your PR is quite important and useful but we need to take care of backward compatibility as well.

[acordiner]

How about if there is a setting for "strict" mode: if enabled it uses my code, if disabled it uses the previous code?

The problem with the current code is that it is rejecting valid cookies. Specifically I am trying to use it with JupyterHub, but it doesn't work because JupyterHub uses cookies containing quotes.

[seocam]

The strict mode seems a viable alternative but I would prefer to try to have the code working for both cases.

If that helps you we can release a version with the strict arg (maybe a private property?) and then we revisit the implementation after.

[coveralls]

Coverage remained the same at 100.0% when pulling 5d8f45c on acordiner:cookies-with-quotes into b0e7be6 on TracyWebTech:master.

[coveralls]

Coverage remained the same at 100.0% when pulling 1ba9b3b on acordiner:cookies-with-quotes into b0e7be6 on TracyWebTech:master.

[coveralls]

Coverage remained the same at 100.0% when pulling 2e3ffb3 on acordiner:cookies-with-quotes into b0e7be6 on TracyWebTech:master.

[coveralls]

Coverage remained the same at 100.0% when pulling 2e3ffb3 on acordiner:cookies-with-quotes into b0e7be6 on TracyWebTech:master.

[coveralls]

Coverage remained the same at 100.0% when pulling 62fef6c on acordiner:cookies-with-quotes into b0e7be6 on TracyWebTech:master.

[coveralls]

Coverage remained the same at 100.0% when pulling 62fef6c on acordiner:cookies-with-quotes into b0e7be6 on TracyWebTech:master.

[coveralls]

Coverage remained the same at 100.0% when pulling 62fef6c on acordiner:cookies-with-quotes into b0e7be6 on TracyWebTech:master.

[coveralls]

Coverage decreased (-100.0%) to 0.0% when pulling 612e8c7 on acordiner:cookies-with-quotes into b0e7be6 on TracyWebTech:master.

[coveralls]

Coverage decreased (-100.0%) to 0.0% when pulling 39bc69a on acordiner:cookies-with-quotes into b0e7be6 on TracyWebTech:master.

[coveralls]

Coverage decreased (-100.0%) to 0.0% when pulling b214847 on acordiner:cookies-with-quotes into b0e7be6 on TracyWebTech:master.

[coveralls]

Coverage remained the same at 100.0% when pulling 2b60229 on acordiner:cookies-with-quotes into b0e7be6 on TracyWebTech:master.

[acordiner]

@seocam - For now I've added the strict mode as discussed.

[acordiner]

Any chance to get this merged?

[seocam]

I'm gonna merge it but not release a version yet because it's missing docs. Could you please work on that? Thanks for the contribution!

[acordiner]

@seocam - I've added some documentation to proxyview.rst.