Requests: comma in case: join multiple Set-Cookie Headers

Created on 7 Apr 2017  ·  3Comments  ·  Source: psf/requests

Many web-apps send cookie in multiple Set-Cookie headers, one header for one cookie. Requests joins this headers in one big header separate by comma.

From same webapp to requests.get

Set-Cookie: ASP.NET_SessionId=token1; path=/; HttpOnly
Set-Cookie: Cookie1=token2; path=/ecp
Set-Cookie: X-BEResource=WIN-RBFR0BDA7V7.testlab.net~1; path=/ecp/15.0.516.30; HttpOnly
Set-Cookie: X-BackEndCookie=token3; expires=Mon, 03-Apr-2017 12:25:07 GMT; path=/ecp; HttpOnly

In requests:
resp.headers this look like

Set-Cookie: ASP.NET_SessionId=token1; path=/; HttpOnly,    
  Cookie1=token2; path=/ecp, 
  X-BEResource=WIN-RBFR0BDA7V7.testlab.net~1; path=/ecp/15.0.516.30; HttpOnly, 
  X-BackEndCookie=token3; expires=Thu, 06-Apr-2017 08:27:22 GMT; path=/ecp; HttpOnly

Firefox, IE, Chrome invalid interpreted this cookies because separater is comma but in field EXPIRES comma separate day and date.

Principal problem in modification traffic. In my opinion then server send multiple headers lib must return multiple headers

picture jake491

Most helpful comment

Requests makes no promises about leaving headers in the form they are received from the server. Right now, I highly recommend you use the cookiejar Requests uses to store cookies rather than extracting them from the headers: we correctly insert them in there.

Longer term, we should probably add a fix to exclude the Set-Cookie header from joining in this way.

picture Lukasa on 7 Apr 2017
👍6

All 3 comments

Requests makes no promises about leaving headers in the form they are received from the server. Right now, I highly recommend you use the cookiejar Requests uses to store cookies rather than extracting them from the headers: we correctly insert them in there.

Longer term, we should probably add a fix to exclude the Set-Cookie header from joining in this way.

Lukasa picture Lukasa on 7 Apr 2017
👍6

This has bitten us and cost us quite a few hours. I'd like to vote to leave Set-Cookie intact. Why does requests fiddle with the headers anyways? Is there some good reason for it? IMHO it only complicates things for everybody. What am I missing?
Thanks for your good work!

daniel-kun picture daniel-kun on 19 Mar 2020
👍1

Hi, there is a way to parse headers correctly with https://github.com/Ousret/kiss-headers requests won't be able to change their representation for headers any time soon.

Ousret picture Ousret on 16 Apr 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ghtyrant picture ghtyrant  ·  3Comments
eromoe picture eromoe  ·  3Comments
iLaus picture iLaus  ·  3Comments
Matt3o12 picture Matt3o12  ·  3Comments
mitar picture mitar  ·  4Comments