[cse491] Set-Cookie with expires='some time in the past'
Joe Amenta
amentajo at msu.edu
Mon Nov 23 15:49:30 PST 2009
On Mon, Nov 23, 2009 at 01:14:30PM -0800, C. Titus Brown wrote:
> On Mon, Nov 23, 2009 at 04:07:27PM -0500, Joe Amenta wrote:
> > I rolled my own cookie-deleting function in cookie_util, and it now sends
> > this header:
> >
> > Set-Cookie: session=; expires=Wed, 31-Dec-1969 19:00:01 GMT
> >
> > Why is Firefox still sending the cookie:
> >
> > Cookie: session=
> >
> > in later requests?
>
> Hi Joe,
>
> what happens if you do:
>
> Set-Cookie: session=foo; expires=...
>
> ? Does it return session=foo or does it return session=?
>
> cheers,
> --titus
> --
> C. Titus Brown, ctb at msu.edu
No, it still keeps session=foo.
I figured it out. It was the oldest mistake in the book: crossing the epoch.
This manifestation: To get the timestamp, I called
datetime.datetime.fromtimestamp(0) instead of
datetime.datetime.utcfromtimestamp(0)
Because we are at UTC-5, this set the date to 5 hours before epoch, which,
when Firefox parsed it, rolled over to a date tens of thousands of years into
the future. My guess is that Firefox parses it into an unsigned integer.
This appears to be technically a bug with the browser implementation rather
than with the web server, but in most cases, it is a non-issue: just set
cookies' expiration dates to epoch or post-epoch.
So here is a function to delete a cookie (given name as a parameter):
def make_del_cookie_header(name):
"""
Makes a 'Set-Cookie' header for deleting a cookie.
"""
return ("Set-Cookie", "%s=; expires=Thu, 01-Jan-1970 00:00:00 GMT" %name)
--Joe
P.S., for those not familiar with the Unix concept of epoch, see
http://en.wikipedia.org/wiki/Unix_time -- Jan 1, 1970 at midnight UTC is epoch
time 0; all other times are represented by an integer value of seconds before
or after that reference date.
More information about the cse491-fall-2009
mailing list