Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix clearing two cookies with the same name #3207

merged 3 commits into from Jan 16, 2018


Copy link

This is an ugly workaround, and it might go wrong other code tries to manipulate the same cookies for the same response. But at least in my testing, it fixes the issue reported in #3196 .

I think a properly robust fix would involve replacing http.cookies.BaseCookie with something that can handle multiple cookies with the same name. But Tornado appears to consider it a corner case that's not worth supporting (tornadoweb/tornado#1248), and it seems like a lot of work for us to build that just to tackle this one bug. Then again, it is a security bug, so maybe we should be taking that time.

cc @minrk .

Closes gh-3196

if path and path != '/':
# also clear cookie on / to ensure old cookies
# are cleared after the change in path behavior.
Copy link

@minrk minrk Jan 15, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe just call the force_clear_cookie here so we are using the normal clear_cookie most of the time? And add a FIXME noting that this is a backward-compatibily bit added in 5.2?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, done.

Copy link
Member Author

I'm going to slip this into 5.3.

@takluyver takluyver added this to the 5.3 milestone Jan 16, 2018
@takluyver takluyver merged commit 64bde3e into jupyter:master Jan 16, 2018
@takluyver takluyver deleted the clearing-cookies branch January 16, 2018 14:57
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 3, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet

Successfully merging this pull request may close these issues.

Problem signing out of Jupyter Notebooks if c.NotebookApp.base_url is set (cookie not cleared)
2 participants