Tornado: Tornado should not collapse `Set-Cookie` headers

Created on 9 Dec 2015  路  2Comments  路  Source: tornadoweb/tornado

Currently tornado collapses multiple Set-Cookie headers from the response into a single header with comma-separated cookies. This makes parsing on the client-side very hard as the expires parameter in the Set-Cookie header also has ',' in it.

For example, if the origin server issues the following response headers,

HTTP/1.1 302 Found
Date: Mon, 23 Mar 2015 18:24:11 GMT
Server: Apache
Pragma: no-cache
Set-Cookie: Navajo=3wJATUguEoQWBd0-; Domain=.server.com; Path=/; Secure; Version=1; HttpOnly
Set-Cookie: NID=74=pPAmuMR-fBtT9mbGOeC2maregcA4JoK43YfBDlXrfqgH5PMmd2Wy-QF_i_Ygc3AgzxSkhvLVBiHEri3k8gl2SiuwgHO68aHb-uousPE9jI346KprSS9enikTZx9ImHrWso8GglTYyeINnlwe9Kc4kb50ufiqxH4s1pbyDnD2; expires=Wed, 08-Jun-2016 14:57:52 GMT; path=/; domain=.google.nl; HttpOnly,CONSENT=WP.24dd69; expires=Fri, 01-Jan-2038 00:00:00 GMT; path=/; domain=.google.nl
Location: https://server.com/something
Cache-Control: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Length: 285
Content-Type: text/html; charset=utf-8
Set-Cookie: BITD-Persistence=1638274978.47873.0000; path=/

The self.response.headers.get("Set-Cookie", None) call returns collapsed cookies (separated by ','). In order to avoid this, I need the _raw_ Set-Cookie header so that multiple cookies can be parsed by \r\n control characters.

More details in a similar issue, https://github.com/jnunemaker/httparty/issues/384

Most helpful comment

The HTTPHeaders object has two getter methods: get(), which returns a single comma-separated list, and get_list(), which returns a list. The latter is necessary for headers like Set-Cookie.

All 2 comments

The HTTPHeaders object has two getter methods: get(), which returns a single comma-separated list, and get_list(), which returns a list. The latter is necessary for headers like Set-Cookie.

ok, thanks!

Was this page helpful?
0 / 5 - 0 ratings