Cookie filter

[panda73111]

Relevant issue: #792
This branch will add cookie management adhering to RFC 6265.
Right now, it adds a simple filter for cookies sent, regarding their "Domain" attribute.

• Cookies passed to ClientSession without a "Domain" attribute (as SimpleCookie() or dict/tuple) are still shared across all requests, to keep backwards compatibility.
• Leading dots are ignored (Domain=.example.com becomes Domain=example.com)
• Cookies with matching domain are sent (Domain=example.com is sent to sub.example.com, but not the other way around)
• Only shared cookies are sent to addresses that are not a domain, like an IP address

More filters (for the remaining attributes and for storing incoming cookies) will be added as soon as I have the time, until eventually ClientSession behaves like stated in RFC 6265.
CORS is completely new to me and low priority until further research.
This branch can be merged into master at any time, I'll add pull requests as needed and all tests pass.

• The Domain Attribute
• The Secure Attribute
• The Path Attribute
• The Expires Attribute
• The Max-Age Attribute

EDIT 23.02.2016:

• The Domain attribute of received cookies is set to the response hostname if empty, their host-only-flag is set to True
• Cookies from IP addresses are rejected

EDIT 29.02.2016:

• Cookies with secure-flag set are only sent to secure hosts (https://)

EDIT 18.03.2016:

• Cookies with matching path are sent
• If received cookies do not have the path-attribute defined, it is set to the response path

EDIT 20.03.2016:

• Stored cookies are deleted when the time defined in the max-age- or expires-attribute is reached. A timer is set via loop.call_later()/call_at() when a cookie is added, that removes the cookie from the jar.

[kxepal]

ipaddress.IPAddress(netloc) to support both IPv4 and IPv6 in the right way without regexps (which accepts invalid IPv4 addresses).

[asvetlov]

Looks interesting. I need reread RFC first for making careful review.
I hope to make it during weekend.

Anyway I have a strong feeling that we need to fix cookies problem in the next aiohttp release.

[coveralls]

Coverage decreased (-0.2%) to 98.24% when pulling 4959234 on panda73111:cookie_filter into 496779e on KeepSafe:master.

[coveralls]

Coverage decreased (-0.3%) to 98.119% when pulling 1cfb2c6 on panda73111:cookie_filter into 496779e on KeepSafe:master.

[panda73111]

I added the Expires- and Max-Age-attributes, by scheduling deletion of the cookie via call_later()/call_at(). But this gets problematic as soon as the user changes these attributes, the cookie would still be removed at the original timestamp. How should this be handled? For "Expires", an absolute date, the cookie could just remain in the cookie jar, and just not be sent if the time of sending the request is after the date defined in the "Expires" attribute. But "Max-Age" only consists of a time span in seconds, of which it is not possible to know when it has been set by the user.

[panda73111]

...Or maybe any other comments? This is basically done, as it is.

[auvipy]

you could fix the merge conflicts and failing builds

[coveralls]

Coverage decreased (-1.1%) to 97.068% when pulling f8c0e9a on panda73111:cookie_filter into 024f6e1 on KeepSafe:master.

[coveralls]

Coverage increased (+0.04%) to 98.26% when pulling f6a5da4 on panda73111:cookie_filter into 024f6e1 on KeepSafe:master.

[panda73111]

Well, I wanted my code to get approved first, since I don't want to create a merge commit every time master becomes incompatible, until this gets merged or rejected eventually.

And what's up with these coverage comments? Shouldn't these be posted only after all tests pass? The next commit makes it up to 98.26% again only because flake8 is satisfied...
(Also, coveralls doesn't let me view 'changed' lines, because "The owner of this repo needs to re-authorize with github; their OAuth credentials are no longer valid so the file cannot be pulled from the github API.")

[KostyaEsmukov]

Any update on this?
@asvetlov @fafhrd91

[fafhrd91]

can't we reuse some existing function?

[fafhrd91]

i am +1 for this change, but we need opinion from @asvetlov before inclusion.

[asvetlov]

Squashed and merged as 0016999
@panda73111 thanks you very much for your hard work

[lock]

This thread has been automatically locked since there has not been
any recent activity after it was closed. Please open a new issue for
related bugs.

If you feel like there's important points made in this discussion,
please include those exceprts into that new issue.