What’s new in Tornado 3.2.1

May 5, 2014

Security fixes

  • The signed-value format used by RequestHandler.set_secure_cookie and RequestHandler.get_secure_cookie has changed to be more secure. This is a disruptive change. The secure_cookie functions take new version parameters to support transitions between cookie formats.

  • The new cookie format fixes a vulnerability that may be present in applications that use multiple cookies where the name of one cookie is a prefix of the name of another.

  • To minimize disruption, cookies in the older format will be accepted by default until they expire. Applications that may be vulnerable can reject all cookies in the older format by passing min_version=2 to RequestHandler.get_secure_cookie.

  • Thanks to Joost Pol of Certified Secure for reporting this issue.

Backwards-compatibility notes

  • Signed cookies issued by RequestHandler.set_secure_cookie in Tornado 3.2.1 cannot be read by older releases. If you need to run 3.2.1 in parallel with older releases, you can pass version=1 to RequestHandler.set_secure_cookie to issue cookies that are backwards-compatible (but have a known weakness, so this option should only be used for a transitional period).

Other changes

  • The C extension used to speed up the websocket module now compiles correctly on Windows with MSVC and 64-bit mode. The fallback to the pure-Python alternative now works correctly on Mac OS X machines with no C compiler installed.