What's new in Tornado 3.2.1
May 5, 2014
- The signed-value format used by .RequestHandler.set_secure_cookie
and .RequestHandler.get_secure_cookie has changed to be more secure.
This is a disruptive change. The
secure_cookiefunctions take new
versionparameters to support transitions between cookie formats.
- The new cookie format fixes a vulnerability that may be present in applications that use multiple cookies where the name of one cookie is a prefix of the name of another.
- To minimize disruption, cookies in the older format will be accepted
by default until they expire. Applications that may be vulnerable
can reject all cookies in the older format by passing
- Thanks to Joost Pol of Certified Secure for reporting this issue.
- Signed cookies issued by .RequestHandler.set_secure_cookie in Tornado
3.2.1 cannot be read by older releases. If you need to run 3.2.1
in parallel with older releases, you can pass
version=1to .RequestHandler.set_secure_cookie to issue cookies that are backwards-compatible (but have a known weakness, so this option should only be used for a transitional period).
- The C extension used to speed up the websocket module now compiles correctly on Windows with MSVC and 64-bit mode. The fallback to the pure-Python alternative now works correctly on Mac OS X machines with no C compiler installed.