Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix clearing two cookies with the same name #3207

Merged
merged 3 commits into from Jan 16, 2018

Conversation

Projects
None yet
2 participants
@takluyver
Copy link
Member

takluyver commented Jan 12, 2018

This is an ugly workaround, and it might go wrong other code tries to manipulate the same cookies for the same response. But at least in my testing, it fixes the issue reported in #3196 .

I think a properly robust fix would involve replacing http.cookies.BaseCookie with something that can handle multiple cookies with the same name. But Tornado appears to consider it a corner case that's not worth supporting (tornadoweb/tornado#1248), and it seems like a lot of work for us to build that just to tackle this one bug. Then again, it is a security bug, so maybe we should be taking that time.

cc @minrk .

Closes gh-3196

if path and path != '/':
# also clear cookie on / to ensure old cookies
# are cleared after the change in path behavior.
self.clear_cookie(self.cookie_name)
self.force_clear_cookie(self.cookie_name)

This comment has been minimized.

@minrk

minrk Jan 15, 2018

Member

Maybe just call the force_clear_cookie here so we are using the normal clear_cookie most of the time? And add a FIXME noting that this is a backward-compatibily bit added in 5.2?

This comment has been minimized.

@takluyver

takluyver Jan 16, 2018

Author Member

Thanks, done.

@takluyver

This comment has been minimized.

Copy link
Member Author

takluyver commented Jan 16, 2018

I'm going to slip this into 5.3.

@takluyver takluyver added this to the 5.3 milestone Jan 16, 2018

@takluyver takluyver merged commit 64bde3e into jupyter:master Jan 16, 2018

4 checks passed

codecov/patch 93.33% of diff hit (target 0%)
Details
codecov/project 78.75% (+0.02%) compared to de92a2b
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@takluyver takluyver deleted the takluyver:clearing-cookies branch Jan 16, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.