Doc'd HttpResponse.cookies.

[mij]

This PR documents attribute HttpRequest.cookies.

• only cookie-setting is currently documented as HttpResponse.set_cookie(), making cookies controllable but not observable
• cookies are also concealed from the lower-level HttpResponse.headers and HttpResponse.items() interfaces (no Set-Cookie)
• this makes it impossible to test the cookie logic of django applications with the current interface. This is particularly problematic when working with modern Single Page Applications which rely on httpOnly cookies for authentication.

This PR was solicited in IRC, and its content got a superficial review there. It does the following:

• mention and describe HttpResponse.cookies in the "Request and response objects" page.
• mention that Set-Cookie headers are omitted from HttpResponse.headers

As a side note, the current code is asymmetric: HttpRequest uses attribute HttpRequest.COOKIES, but HttpResponse uses HttpResponse.cookies. A perfectionist with deadlines might alias the existing HttpResponse.cookies to HttpResponse.COOKIES and document the latter – so both interfaces are symmetric and intuitive.

Comments welcome.

[shangxiao]

As a side note, the current code is asymmetric: HttpRequest uses attribute HttpRequest.COOKIES, but HttpResponse uses HttpResponse.cookies. A perfectionist with deadlines might alias the existing HttpResponse.cookies to HttpResponse.COOKIES and document the latter – so both interfaces are symmetric and intuitive.

Probably a separate discussion to have on the forum. One could argue that there are no other attributes in allcaps on response so there's no precedent 🤷‍♂️

[felixxm]

@mij Thanks 👍 Welcome aboard ⛵

I pushed tiny edits.