homepage

Cookie._CookiePattern is the regular expression used to
retrieve cookies from the HTTP_COOKIE environment
variable. This pattern assumes that all cookies are in
"name=value" format. A cookie that doesn't have an
"=value" component is silently skipped over. (It's
easy to generate a cookie like that - in JavaScript,
document.cookie="broken" is all it takes.)
>>> import Cookie
>>> q = Cookie.SimpleCookie("pie=good; broken;
other=thing")
>>> q
<SimpleCookie: other='thing' pie='good'>
If ignoring cookies without a "=value" component is
intended behaviour, it'd be nice to have a code comment
warning that's what happens. If it's a bug, the cookie
should be set with an empty value.

Logged In: YES 
user_id=261020
Though I had previously assumed stability is more important
than the precise details of what module Cookie does (since
you can choose what cookies you send, the only important
thing is that behaviour is relatively sane, and does the job
-- in a standards-compliant way -- with browsers). But I
suppose one can have JS code or other web app code
maintained by others, and have to understand cookies that
were emitted by that code. Is that your situation?
Do 'serious' web developers use module Cookie, or do people
now tend to use web frameworks' own cookie code (personally
I don't use cookies in my web application work). If the
former, perhaps we should not tinker with this module.

Logged In: YES 
user_id=261020
In the last sentence of my previous comment, I meant to say:
"if the latter".

Sorry to bother you guys after so much time, but I think that there is
at least one bit of the RFC that isn't respected by this "name=value"
thing... If we look at the RFC we'll see this:
 cookie-av = "Comment" "=" value
 | "Domain" "=" value
 | "Max-Age" "=" value
 | "Path" "=" value
 | "Secure"
 | "Version" "=" 1*DIGIT
As you may have noticed, "Secure" doesn't have any values. Also, (but
out of the RFC) there is a commonly used cookie flag named "HttpOnly"
[0], which would be nice to correctly parse also.
Should _CookiePattern be modified to address this issue? 
[0] http://www.owasp.org/index.php/HTTPOnly 

The RFC I'm talking about is: http://www.ietf.org/rfc/rfc2109.txt 

You haven't said what the specific problem is. Note that the
SimpleCookie class really represents a set of cookies, and the Morsel
class represents a single cookie. It seems that setting special
value-less cookie-attributes like "secure" works:
Python 2.5.2 (r252:60911, Jul 31 2008, 17:28:52) 
[GCC 4.2.3 (Ubuntu 4.2.3-2ubuntu7)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import Cookie
>>> c = Cookie.SimpleCookie("spam=eggs; foo=bar")
>>> c.output()
'Set-Cookie: foo=bar\r\nSet-Cookie: spam=eggs'
>>> c["foo"]["secure"] = 1
>>> c.output()
'Set-Cookie: foo=bar; secure\r\nSet-Cookie: spam=eggs'
HttpOnly support was added here:
http://bugs.python.org/issue1638033
However, I don't know why BaseCookie.load() treats "secure" or
"HttpOnly" specially at all -- those names are not special in Cookie:
heders.

My problem, and the problem if the original bug reporter (sirilyan) is
that the load method ignores names that don't have values. Quoting the
original bug report:
>>> import Cookie
>>> q = Cookie.SimpleCookie("pie=good; broken;
other=thing")
>>> q
<SimpleCookie: other='thing' pie='good'>
The original bug report suggested raising a warning or something. I
don't like that idea too much. What I would like to see is the "secure"
cookie parameter, which BY RFC has no value, be parsed as expected.
Right now is you .load() a cookie that looks like this: "a=b; secure"
and then you want to write that cookie back, you loose the secure parameter!
dz0@brick:~$ python
Python 2.5.2 (r252:60911, Jul 31 2008, 17:28:52) 
[GCC 4.2.3 (Ubuntu 4.2.3-2ubuntu7)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import Cookie
>>> C = Cookie.SimpleCookie()
>>> C.load("chips=ahoy; vienna=finger")
>>> print C
Set-Cookie: chips=ahoy
Set-Cookie: vienna=finger
>>> C.load("chips=ahoy; vienna=finger; secure")
>>> print C
Set-Cookie: chips=ahoy
Set-Cookie: vienna=finger
>>> 
I'm not sure if I'm being clear enough, please tell me if you need me to
rewrite something, or use other examples.

I was responding to your comment of 2008年10月08日 03:08, not to the opening
comment. I already responded to the opening comment.

- Problem: The secure flag of cookies is ignored by the load method.
- Why is it related to this issue? Because the secure flag is a name
without a value:
pie=good; other=thing; secure
- Why is it bad?
Because the RFC says that we should parse it.

The Cookie: header does not have a "secure flag" (The Set-Cookie: header
does).
I don't strongly object to the issue identified in the original comment
being fixed.

Any interest in this?

Revisiting this issue.
- Cookie: should contain name=value pairs
- Set-Cookie: header can contain a single word like 'secure'
The current design is along the same lines only.
In the original comment, the request had asked to document the behavior of Cookie class ignoring the nameless values. That should be okay.

This was fixed in issue 16611 (for 3.3 and 3.4) and there is a open issue for 2.7: issue 19870. I'm closing this one as a duplicate of issue 19870, because it has a patch.
>>> from http import cookies
>>> C = cookies.SimpleCookie()
>>> C.load("chips=ahoy; vienna=finger; secure")
>>> print(C)
Set-Cookie: chips=ahoy
Set-Cookie: vienna=finger; secure
>>> C['vienna']['secure']
True