[mod_python] Cookie problems

Jim Gallacher jpg at jgassociates.ca
Fri Jan 27 12:09:47 EST 2006

Wouter van Marle wrote:
> On Fri, 2006-01-27 at 10:34 -0500, Jim Gallacher wrote:
>>Wouter van Marle wrote:
>>>Hi All,
>>>I'm fiddling around with cookies, and after wondering why I always lost
>>>my settings information I did some testing, and ran into what seems a
>>>very very strict limit in cookie length. The code here is based on the
>>>examples of the web pages. From the documentation I find that there is
>>>no strict limit on the size of the value in the cookies, the only limit
>>>I found mentioned in the archives is a 4k http header limit from Apache.
>>>I'd assume I'm way below that.
>>>Test 1 works correctly.
>>>Test 2, with a slightly larger data for the cookie, fails. It is for
>>>some reason not recognised as a valid MarshalCookie! The value used in
>>>this case (the rest of the code being identical):
>>>value = {'egg': 32,
>>>         'color': 'white',
>>>         'foo': 'bar',
>>>         'foobar': 5}
>>>Here the code of Test 1 (maybe with some extra line breaks due to e-mail
>>>from mod_python import Cookie, apache
>>>import time
>>>def handler(req):
>>>    req.content_type = "text/html; charset=utf-8"
>>>    cookies = Cookie.get_cookies(req, Cookie.MarshalCookie,
>>>                                    secret='secret007')
>>>    if cookies.has_key('spam'):
>>>        spamcookie = cookies['spam']
>>>        req.write('Great, a spam cookie was found: %s\n' \
>>>                                      % str(spamcookie))
>>>        if type(spamcookie) is Cookie.MarshalCookie:
>>>            req.write('Here is what it looks like decoded: %s=%s\n'
>>>                      % (spamcookie.name, spamcookie.value))
>>>        else:
>>>            req.write('WARNING: The cookie found is not a \
>>>                       MarshalCookie, it may have been tapered with!')
>>>    else:
>>>        value = {'egg': 32,
>>>                 'color': 'white',
>>>                 'foo': 'bar'}
>>>        Cookie.add_cookie(req, Cookie.MarshalCookie('spam', value, 'secret007'))
>>>        req.write('Spam cookie not found, but we just set one!\n')
>>>    return
>>I tried your 2 test cases and they both work just fine. Are you saying 
>>that test case 2 as shown above fails, or is the value for test case 2 
>>actually much larger? How does it fail: Not a marshal cookie, or not found?
> The output as given in the browser is the line 'WARNING: The cookie
> found is not a MarshalCookie, it may have been tapered with!' . 
> Attempting to decode the cookie gives garbage.

This certainly suggests that the output header is getting truncated. The 
browser is not returning the complete cookie.

> I'm using Mozilla 1.7.6, Apache Server version:
> Apache-AdvancedExtranetServer/2.0.53, mod_python
> The problem appears to be the same on my debian server (I don't want to
> use it for the above tests; but I found the problem with disappearing
> and unreadable cookies there first). A related problem with the
> (apparently too long) cookies is that both the path= and expires=
> parameters are being ignored when setting the cookie.

They are on the Set-Cookie header line following the cookie value, so if 
the header is getting trimmed somewhere it's not a suprise that they are 
messed up or missing as well.

>>Using value = {'test': 'a' * size}, I found that Firefox was not setting 
>>the cookie for size > 3029, and so was not sending it to the server on 
>>subsequent requests.
> Mmmm well I'm testing it with the variables as given above, that failed.
> I just found that using {'a': 'a'*44} is the maximum I can get through.
> Much smaller than on your side, very strange.

Very strange indeed. There is nothing in Cookie.py that would truncate 
the value that is used for the Set-Cookie header so I don't see how that 
could be a problem. What happens if you try setting some other response 
header such as content_type with a long value? You can use 
httpLiveHeaders or wget to see what the server sends.

> How to easily get the  complete header length, by the way?

wget -S http://localhost/cookietest.py 2>&1 | grep Set-Cookie | cut -f 2 
-d ":" |tr -d " " |wc


> Wouter.
>> The header was sent however from the server 
>>however, so it looks like you face 2 possible limits: the max that 
>>apache will send and the max that a browser will receive. (A quick check 
>>  with IE 6 reveals that it is most likely a browser limit. The cookie 
>>setting works for size > 3500. I didn't test beyond that, but I'm sure 
>>there must be some limit'). FYI for size = 3029 the header length = 
>>4097, while size = 3030 gives a header length of 4101.
>>Perhaps you could expand a little on the exact failure you are seeing.
> ------------------------------------------------------------------------
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python

More information about the Mod_python mailing list