Session cookie expiration isn't locale-safe
lyrixderaven opened this issue · 2 comments
The _set_cookie_expires(self,expires)
functionality doesn't account for applications that have changed the globale locale:
self.cookie[self.key]['expires'] = expires_date.strftime("%a, %d-%b-%Y %H:%M:%S GMT")
produces output similar to 'Do, 16-Mai-2019 09:59:46 GMT'
with a global locale setting of de_DE.UTF-8
. This is quite problematic, since most browsers will ignore the expiration setting then, leading to all kinds of uninentended consequences.
One solution might be to use a thread-safe context manager to force the locale for the date conversion to be en_US.UTF-8
or similar (see https://stackoverflow.com/a/24070673/846274 for an example that should work in this case).
Is there any reason why this function should honor the global application locale at all?
No, it should ignore the global locale setting.
I think it was just an old bug because the software was developed in the US and most people keep their servers in EN + UTC configuration.
Most frameworks provide their own implementation of HTTP dates formatting, beaker should probably do the same:
werkzeug: https://github.com/pallets/werkzeug/blob/d824659abe95ed31b1f9c355f88c4741da5a6e5f/src/werkzeug/http.py#L812-L843
webob: https://github.com/Pylons/webob/blob/741b3d6c9750ba30ba6fd7bc61d66d9f9febe75b/src/webob/cookies.py#L257-L274
Awesome, thanks for the rapid response and fix!
Is there a release schedule that let's me see when this fix will likely be versioned into a release?