What’s new in Tornado 3.2.1¶
May 5, 2014¶
The signed-value format used by
RequestHandler.get_secure_cookiehas changed to be more secure. This is a disruptive change. The
secure_cookiefunctions take new
versionparameters to support transitions between cookie formats.
The new cookie format fixes a vulnerability that may be present in applications that use multiple cookies where the name of one cookie is a prefix of the name of another.
To minimize disruption, cookies in the older format will be accepted by default until they expire. Applications that may be vulnerable can reject all cookies in the older format by passing
Thanks to Joost Pol of Certified Secure for reporting this issue.
Signed cookies issued by
RequestHandler.set_secure_cookiein Tornado 3.2.1 cannot be read by older releases. If you need to run 3.2.1 in parallel with older releases, you can pass
RequestHandler.set_secure_cookieto issue cookies that are backwards-compatible (but have a known weakness, so this option should only be used for a transitional period).
The C extension used to speed up the websocket module now compiles correctly on Windows with MSVC and 64-bit mode. The fallback to the pure-Python alternative now works correctly on Mac OS X machines with no C compiler installed.