Giter Club home page Giter Club logo

cookie-twist's People

Contributors

jossemargt avatar

Stargazers

avatar

Watchers

avatar avatar avatar avatar avatar avatar

cookie-twist's Issues

Epoch timestamps should be in "seconds" instead of milliseconds

Detailed Description

I was manually comparing a Tornado secure cookie value against one generated by cookie-twist, as I show in the code blocks below, and it seems the Tornado implementation uses the epoch time in seconds (second field with 10 chars) and cookie-twist in milliseconds (second filed with 13 chars), therefor having different signatures and invalidating this library's main purpose.

2|1:0|10:1525153096|14:con_test_login|56:KFZ1MQpwMApWcGxhaW50ZXh0OnAxCnAxCkYxNTI1MTUzMDk2CnRwMgou|05d77f8ba2073a1cc309eef20d96c0cd4c343519a2bfdbb6f336b41584cc84fb

2|1:0|13:1525153096075|14:con_test_login|56:KFZ1MQpwMApWcGxhaW50ZXh0OnAxCnAxCkYxNTI1MTUzMDk2CnRwMgou|8bf47724301b2863a1aa21c59620d740f6f6d7458a730194c9972fcff3d1305f

Context

Usually, the epoch times is given in seconds, and Tornado secure cookies relies on that convention as well.

Possible Implementation

Use Instant.now().getEpochSecond() (Java 8+) or new Date.getTime() / 1000 for the timestamp generation in TornadoCookieCodec class.

Your Environment

Response Header Set-Cookie value doesn't have quotation marks

I'm using TornadoCookieCodec in cms-users-admin to generate a Tornado signed cookie V2 as part of the login process for a third party application written in Python using Tornado v4.5.3 web framework. Unfortunately the Set-Cookie response header value doesn't come inside a pair of double quotes " as expected. As for example you can see an extract of the response headers:

Response Headers
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers
Set-Cookie: new_contest1_login=2|1:0|10:1526870692|18:new_contest1_login|100:KFZhbGVrc3B1bnhnbWFpbGNvbQpwMApWcGxhaW50ZXh0OnVaZDNkajAkY3BldXcxMnBxegpwMQpGMTUyNjg3MDYzNQp0cDIKLg==|635a78b087c10e3351ed93577d4f9cec7d7bf043a6e98eb68ffabecc4269968a; Domain=192.168.187.134;

issue01

Context

This is important to me, otherwise, the third party application won't recognize the Set-Cookie header denying the access to any of its resources.

Possible Implementation

What if the TornadoCookieCodec writes the cookie value within quotation marks whether it's required?

Environment

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.