This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: http.cookies, Cookie.py: Improper handling of duplicate cookies
Type: behavior Stage: test needed
Components: Library (Lib) Versions: Python 3.10, Python 3.9, Python 3.8
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: ajaksu2, cito, jjlee, karlcow, mmelin, sonderblade, valankar
Priority: normal Keywords: easy, patch

Created on 2005-12-07 03:50 by valankar, last changed 2022-04-11 14:56 by admin.

Files
File name Uploaded Description Edit
Cookie.py.patch valankar, 2005-12-07 03:50 Patch for revision 41632 of Cookie.py review
issue1375011-2.7.patch mmelin, 2013-02-23 16:45 Patch, test & docs for Cookie.py on 2.7 review
issue1375011-3.2.patch mmelin, 2013-02-23 16:45 Patch, test & docs for http/cookies.py on 3.2 review
Messages (8)
msg49178 - (view) Author: Viraj Alankar (valankar) Date: 2005-12-07 03:50
This patch implements part of bug 1372650.

Sometimes a web client will send 2 instances of the same name:

Cookie: mycookie=foo; mycookie=bar

The specs listed here:

http://wp.netscape.com/newsref/std/cookie_spec.html

state that the first one is the one that should be used. The other 
cookies listed are the inherited ones from paths that a prefix of the 
current URL. When this is parsed by the Cookie module, mycookie gets 
set to bar when it should be foo.

This patch changes Cookie.py to only use the first instance of duplicate 
cookies when parsing cookie strings.
msg49179 - (view) Author: Björn Lindqvist (sonderblade) Date: 2007-03-14 23:54
That link is misleading and just confuses you. :) Instead read John J. Lee's great explanation at the referenced bug report. I have tested the patch and it works as expected. Without the patch:

>>> c = SimpleCookie('foo=33;foo=34')
>>> print c
Set-Cookie: foo=34

With the patch:

>>> c = SimpleCookie('foo=33;foo=34')
>>> print c
Set-Cookie: foo=33

There should be a unit test though and something in the documentation. The keys dict should be a set instead.
msg86297 - (view) Author: Daniel Diniz (ajaksu2) * (Python triager) Date: 2009-04-22 14:42
See discussion in issue 1372650.
msg114634 - (view) Author: Mark Lawrence (BreamoreBoy) * Date: 2010-08-22 01:33
Even if the patch is still valid there are still no doc or unit test changes.
msg182758 - (view) Author: Martin Melin (mmelin) * Date: 2013-02-23 16:45
Attached is a patch with Viraj's original fix except using a set instead of a dict as suggested by Björn. This patch also includes a test case and a note in the docs about this behavior.

Since Cookie has been moved and the code has been cleaned up somewhat between 2.7 and 3.2 I'm attaching patches for both branches.

Of course, a decision still needs to be made whether or not this should be applied; the behavior is more correct now, but I don't know if it is worth potentially breaking applications that have come to expect the old behavior. There doesn't seem to be a consensus in #1372650 but I thought having a complete patch would be a good thing regardless.
msg182759 - (view) Author: Martin Melin (mmelin) * Date: 2013-02-23 16:45
Just adding the 3.2 patch
msg353845 - (view) Author: karl (karlcow) * Date: 2019-10-03 12:52
Relevant spec
https://tools.ietf.org/html/rfc6265
msg385430 - (view) Author: Christoph Zwerschke (cito) * Date: 2021-01-21 15:12
This patch should really be included.

As carl already mentioned, the relevant spec is RFC 6265, see section 5.4.2: "The user agent SHOULD sort the cookie-list in the following order: Cookies with longer paths are listed before cookies with shorter paths. Among cookies that have equal-length path fields, cookies with earlier creation-times are listed before cookies with later creation-times."

Currently, if the cookies are loaded with cookies.load(env['HTTP_COOKIE']) as most web frameworks do, then the cookies will be populated with the least specific or oldest values if there are duplicates. This is really bad.
History
Date User Action Args
2022-04-11 14:56:14adminsetgithub: 42664
2021-01-21 15:12:28citosetnosy: + cito
messages: + msg385430
2020-11-06 20:00:24iritkatrielsetversions: + Python 3.8, Python 3.9, Python 3.10, - Python 3.1, Python 2.7, Python 3.2
2019-10-03 12:52:29karlcowsetnosy: + karlcow
messages: + msg353845
2016-08-22 12:31:03martin.pantersettitle: Improper handling of duplicate cookies -> http.cookies, Cookie.py: Improper handling of duplicate cookies
2016-04-25 12:01:01berker.peksaglinkissue7504 superseder
2014-02-03 18:40:14BreamoreBoysetnosy: - BreamoreBoy
2013-02-23 16:45:57mmelinsetfiles: + issue1375011-3.2.patch

messages: + msg182759
2013-02-23 16:45:05mmelinsetfiles: + issue1375011-2.7.patch
nosy: + mmelin
messages: + msg182758

2010-08-30 16:53:05BreamoreBoylinkissue1372650 superseder
2010-08-30 16:53:05BreamoreBoyunlinkissue1372650 dependencies
2010-08-22 01:33:46BreamoreBoysetnosy: + BreamoreBoy

messages: + msg114634
versions: + Python 3.1, Python 2.7, Python 3.2, - Python 2.6
2009-04-22 14:42:51ajaksu2setkeywords: + easy
nosy: + ajaksu2
messages: + msg86297

2009-02-16 03:57:53ajaksu2linkissue1372650 dependencies
2009-02-13 01:16:33ajaksu2setnosy: + jjlee
stage: test needed
type: behavior
versions: + Python 2.6, - Python 2.5
2005-12-07 03:50:53valankarcreate