Merge pull request #1325 from ccampbell/master

Skip falsy values for some SimpleCookie flags
tornadoweb · Feb 7, 2015 · 30631d4 · 30631d4
2 parents 24b41e7 + 73556c2
commit 30631d4
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 1 deletion.
diff --git a/tornado/test/web_test.py b/tornado/test/web_test.py
@@ -171,13 +171,21 @@ class SetCookieExpiresDaysHandler(RequestHandler):
             def get(self):
                 self.set_cookie("foo", "bar", expires_days=10)
 
+        class SetCookieFalsyFlags(RequestHandler):
+            def get(self):
+                self.set_cookie("a", "1", secure=True)
+                self.set_cookie("b", "1", secure=False)
+                self.set_cookie("c", "1", httponly=True)
+                self.set_cookie("d", "1", httponly=False)
+
         return [("/set", SetCookieHandler),
                 ("/get", GetCookieHandler),
                 ("/set_domain", SetCookieDomainHandler),
                 ("/special_char", SetCookieSpecialCharHandler),
                 ("/set_overwrite", SetCookieOverwriteHandler),
                 ("/set_max_age", SetCookieMaxAgeHandler),
                 ("/set_expires_days", SetCookieExpiresDaysHandler),
+                ("/set_falsy_flags", SetCookieFalsyFlags)
                 ]
 
     def test_set_cookie(self):
@@ -248,7 +256,15 @@ def test_set_cookie_expires_days(self):
         header_expires = datetime.datetime(
             *email.utils.parsedate(match.groupdict()["expires"])[:6])
         self.assertTrue(abs(timedelta_to_seconds(expires - header_expires)) < 10)
-
+
+    def test_set_cookie_false_flags(self):
+        response = self.fetch("/set_falsy_flags")
+        headers = sorted(response.headers.get_list("Set-Cookie"))
+        self.assertEqual(headers[0], 'a=1; Path=/; secure')
+        self.assertEqual(headers[1], 'b=1; Path=/')
+        self.assertEqual(headers[2], 'c=1; httponly; Path=/')
+        self.assertEqual(headers[3], 'd=1; Path=/')
+
 
 class AuthRedirectRequestHandler(RequestHandler):
     def initialize(self, login_url):

diff --git a/tornado/web.py b/tornado/web.py
@@ -524,6 +524,12 @@ def set_cookie(self, name, value, domain=None, expires=None, path="/",
         for k, v in kwargs.items():
             if k == 'max_age':
                 k = 'max-age'
+
+            # skip falsy values for httponly and secure flags because
+            # SimpleCookie sets them regardless
+            if k in ['httponly', 'secure'] and not v:
+                continue
+
             morsel[k] = v
 
     def clear_cookie(self, name, path="/", domain=None):