Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix clearing two cookies with the same name #3207

Merged
merged 3 commits into from
Jan 16, 2018
Merged

Fix clearing two cookies with the same name #3207

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1fdcd37
Fix clearing two cookies with the same name
takluyver Jan 12, 2018
6ba7b17
Only use force_clear_cookie for the extra compatibility piece
takluyver Jan 16, 2018
0f0fe84
Expand description of compatibility code
takluyver Jan 16, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 31 additions & 3 deletions notebook/base/handlers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
# Copyright (c) Jupyter Development Team.
# Distributed under the terms of the Modified BSD License.

import datetime
import functools
import json
import mimetypes
Expand All @@ -15,15 +16,17 @@
try:
# py3
from http.client import responses
from http.cookies import Morsel
except ImportError:
from httplib import responses
from Cookie import Morsel
try:
from urllib.parse import urlparse # Py 3
except ImportError:
from urlparse import urlparse # Py 2

from jinja2 import TemplateNotFound
from tornado import web, gen, escape
from tornado import web, gen, escape, httputil
from tornado.log import app_log

from notebook._sysinfo import get_sys_info
Expand Down Expand Up @@ -91,14 +94,39 @@ def set_default_headers(self):
# for example, so just ignore)
self.log.debug(e)

def force_clear_cookie(self, name, path="/", domain=None):
"""Deletes the cookie with the given name.

Tornado's cookie handling currently (Jan 2018) stores cookies in a dict
keyed by name, so it can only modify one cookie with a given name per
response. The browser can store multiple cookies with the same name
but different domains and/or paths. This method lets us clear multiple
cookies with the same name.

Due to limitations of the cookie protocol, you must pass the same
path and domain to clear a cookie as were used when that cookie
was set (but there is no way to find out on the server side
which values were used for a given cookie).
"""
name = escape.native_str(name)
expires = datetime.datetime.utcnow() - datetime.timedelta(days=365)

morsel = Morsel()
morsel.set(name, '', '""')
morsel['expires'] = httputil.format_timestamp(expires)
morsel['path'] = path
if domain:
morsel['domain'] = domain
self.add_header("Set-Cookie", morsel.OutputString())

def clear_login_cookie(self):
cookie_options = self.settings.get('cookie_options', {})
path = cookie_options.setdefault('path', self.base_url)
self.clear_cookie(self.cookie_name, path=path)
self.force_clear_cookie(self.cookie_name, path=path)
if path and path != '/':
# also clear cookie on / to ensure old cookies
# are cleared after the change in path behavior.
self.clear_cookie(self.cookie_name)
self.force_clear_cookie(self.cookie_name)
Copy link
Member

@minrk minrk Jan 15, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe just call the force_clear_cookie here so we are using the normal clear_cookie most of the time? And add a FIXME noting that this is a backward-compatibily bit added in 5.2?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, done.


def get_current_user(self):
if self.login_handler is None:
Expand Down