Silent failure when reading cookies if one cookie is invalid

[ccampbell]

Tornado uses SimpleCookie to parse out cookies from the header. If one of the cookies here is invalid it causes all the cookies to fail.

I ran into this specifically when a cookie was set using a : in the name, but basically whenever Cookie.SimpleCookie().load() throws an exception all the cookies cannot be read because they are set to an empty dictionary.

self._cookies = Cookie.SimpleCookie()
if "Cookie" in self.headers:
    try:
        self._cookies.load(
            native_str(self.headers["Cookie"]))
    except Exception:
        self._cookies = {}

This isn't a problem if you are using Tornado to set all cookies because there are sanity checks to prevent you from setting a cookie with an invalid name, but most browsers/other cookie libraries are actually not as strict about cookies as this python library is.

This could be bad if you have a session cookie of some sort and then in javascript you set a cookie that python considers invalid such as test:cookie. From here on out all cookie reading fails silently until you delete test:cookie.

Ideally I think all cookies should work, but that would require writing a custom cookie parser. Second best I think would be if all the cookies work except for the invalid ones and there is a warning logged to notify the developer that it failed.

[bdarnell]

For reference: the Cookie (now http.cookies) module was changed in python 3.3 to accept ":" as a valid character in cookie names (http://bugs.python.org/issue2193). RFC 6265 is the current "cookies in the real world" standard, and it does not allow colons, but it seems that browsers generally do.

Unfortunately I don't see an easy way to get the pre-3.3 Cookie module to either be more lenient or at least return the valid cookies.

[bdarnell]

See also #1434 and #1176; my most recent and detailed comments on the subject are on #1434.

Replying to @ysimonson from #1730: Unfortunately you can't easily clear all cookies if they fail to parse - you can only clear cookies by name and you can't know their names if you can't parse the header. But maybe that's the right idea: use a fairly strict parser at first, and if that fails, use a more liberal parser to extract the cookie names and clear them. By discarding values from cookies that don't comply with the spec, we can avoid the security bugs that are sometimes caused by differing implementations of out-of-spec values (like https://hackerone.com/reports/14883).