[Django] #36399: Missing cookies when using ASGI and HTTP/2

Thu, 15 May 2025 07:45:06 -0700 

#36399: Missing cookies when using ASGI and HTTP/2
------------------------------+-----------------------------------------
     Reporter:  Ingmar Stein  |                     Type:  Bug
       Status:  new           |                Component:  HTTP handling
      Version:  5.2           |                 Severity:  Normal
     Keywords:                |             Triage Stage:  Unreviewed
    Has patch:  0             |      Needs documentation:  0
  Needs tests:  0             |  Patch needs improvement:  0
Easy pickings:  0             |                    UI/UX:  0
------------------------------+-----------------------------------------
 I originally created the report here: https://forum.djangoproject.com/t
 /missing-cookies-when-using-asgi-and-http-2/40946

 https://github.com/paperless-ngx/paperless-ngx/issues/9935 describes the
 issue in more detail. In a nutshell: when serving a Django app using ASGI
 and HTTP/2, cookies may get dropped. In case this hits the `csrftoken`
 cookie, it might explain the various "CSRF verification failed" topics in
 this forum category.

 I had a brief look at the coke and it looks like the
 
[[https://github.com/django/django/blob/main/django/core/handlers/asgi.py#L97-L98|ASGI
 module]] joins multiple values for the same header using commas but
 
[[https://github.com/django/django/blob/main/django/http/cookie.py#L12|`parse_cookie`]]
 splits by semicolon.

 Same same issue has also hit other ASGI frameworks:
 https://github.com/encode/starlette/discussions/2916

 @carltongibson created this minimal repro:

 {{{#!python
 from django.conf import settings
 from django.core.handlers.asgi import ASGIRequest

 settings.configure(DEBUG=True)

 scope = {
     "type": "http",
     "asgi": {
         "version": "3.0",
         "spec_version": "2.3",
     },
     "http_version": "2.0",
     "method": "GET",
     "scheme": "http",
     "path": "/",
     "raw_path": b"/",
     "query_string": b"",
     "root_path": "",
     "headers": [
         (b"cookie", b"a=abc;"),
         (b"cookie", b"b=def;"),
         (b"cookie", b"c=ghi;")
     ],
     "client": ("127.0.0.1", 10000),
     "server": ("127.0.0.1", 8000),
     "extensions": {}
 }

 request = ASGIRequest(scope, None)

 print(request.COOKIES)  # Prints: {'a': 'abc', ',b': 'def', ',c': 'ghi'}
 assert request.COOKIES == {'a': 'abc', 'b': 'def', 'c': 'ghi'}
 }}}
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36399>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/01070196d467d90d-9dd6e351-2ade-441e-a3ae-efb5ddfb1f22-000000%40eu-central-1.amazonses.com.

Reply via email to