Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix clearing two cookies with the same name #3207

Merged
merged 3 commits into from Jan 16, 2018

Conversation

@takluyver
Copy link
Member

@takluyver takluyver commented Jan 12, 2018

This is an ugly workaround, and it might go wrong other code tries to manipulate the same cookies for the same response. But at least in my testing, it fixes the issue reported in #3196 .

I think a properly robust fix would involve replacing http.cookies.BaseCookie with something that can handle multiple cookies with the same name. But Tornado appears to consider it a corner case that's not worth supporting (tornadoweb/tornado#1248), and it seems like a lot of work for us to build that just to tackle this one bug. Then again, it is a security bug, so maybe we should be taking that time.

cc @minrk .

Closes gh-3196

if path and path != '/':
# also clear cookie on / to ensure old cookies
# are cleared after the change in path behavior.
self.clear_cookie(self.cookie_name)
self.force_clear_cookie(self.cookie_name)
Copy link
Member

@minrk minrk Jan 15, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe just call the force_clear_cookie here so we are using the normal clear_cookie most of the time? And add a FIXME noting that this is a backward-compatibily bit added in 5.2?

Loading

Copy link
Member Author

@takluyver takluyver Jan 16, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, done.

Loading

@takluyver
Copy link
Member Author

@takluyver takluyver commented Jan 16, 2018

I'm going to slip this into 5.3.

Loading

@takluyver takluyver added this to the 5.3 milestone Jan 16, 2018
@takluyver takluyver merged commit 64bde3e into jupyter:master Jan 16, 2018
4 checks passed
Loading
@takluyver takluyver deleted the clearing-cookies branch Jan 16, 2018
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 3, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

2 participants