New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider something more lenient for cookie parsing #898
Comments
Okay, so the way to move this forward would be to take a look at what Flask and Django do here, so that we’ve got some existing work to base this on. Want to take a dig into either of those and see how it compares to what we currently have in Starlette? |
I had the same thought, which is why I gave that example from Flask above (Werkzeug is the library that handles these things for Flask). The Werkzeug parser is a pretty low-level parser handling bytes and using regexes. It looks like the kind of inscrutable code someone would write for performance. Django, by contrast, has a custom cookie parser as well which utilizes the standard library's
The result of using their cookie parser also reproduces all the cookies given in my first example: In [3]: parse_cookie(cookieval)
Out[3]:
{'okta-oauth-nonce': 'validAsciiblabla',
'okta-oauth-state': 'validAsciiBlabla',
'okta-oauth-redirect-params': '{"responseType":"code","state":"somestate","nonce":"somenonce","scopes":["openid","profile","email","phone"],"urls":{"issuer":"https://subdomain.okta.com/oauth2/authServer","authorizeUrl":"https://subdomain.okta.com/oauth2/authServer/v1/authorize","userinfoUrl":"https://subdomain.okta.com/oauth2/authServer/v1/userinfo"}}',
'importantCookie': 'importantValue',
'sessionCookie': 'importantSessionValue'} It would be straightforward to implement something like what Django is doing. I am not sure the performance implications. It would probably be a good idea to have an approach like the following:
|
Thanks, that's a good summary. I'd opt for correctness-first... If the Django approach looks correct, and easier to implement, then that's what we should go for. 👍 There's no particular reason why there'd be any actually significant performance concerns with it. |
The best way to approach this would probably be to start by writing a failing test, and submit that as a pull request. |
I would be happy to do that. We can use my example given above. I was hoping to find a weird-cookie dataset to try. |
Hello,
I have used Starlette in a handful of small services in the past few months and have been really happy with it. It's a great project.
Last week I ran into something that I wanted to raise as a potential issue here, because it may be worth considering.
We have an application that uses Okta's Sign-In widget for authentication (which is an OpenID Connect thing). Okta does its Oauth2 callback-redirect and they set some cookies, at least one of which is well outside the spec of HTTP cookies. Anyway, in Starlette the
request.cookies
attribute ends up pretty mangled as a result.Here's an example of what I'm talking about using the same cookie-parsing technique in Starlette, which relies on Python's standard library module
http.cookies
:Notice in the example above,
cookieval
contains 5 important cookies (including the session cookie set by Starlette'sSessionMiddleware
), but only two are successfully parsed by this method.I have seen a lot of wacky stuff thrown into cookies, so it may be a good idea to provide some method to parse them more leniently in the Starlette project.
Also, out of curiosity, I took a tour through what Werkzeug is doing and they have some pretty low-level code for parsing cookies, but it does successfully parse the above:
In short, cookies seem to be one of those things where while there exists a spec, people have been ignoring it for a long time, and so it may be worth parsing them more leniently or offering an option to do so in the project.
Python's
http.cookies
module even has the following comment:Thanks for reading and for working on this project. I would be happy to help contribute back to it if I can.
For reference, here's the RFC 6265 spec, which obsoletes the older spec referenced by the Python standard library's
http.cookies
module (it actually references an even older spec...).The text was updated successfully, but these errors were encountered: