What’s new in Tornado 3.2.1¶
May 5, 2014¶
- The signed-value format used by
RequestHandler.get_secure_cookiehas changed to be more secure. This is a disruptive change. The
secure_cookiefunctions take new
versionparameters to support transitions between cookie formats.
- The new cookie format fixes a vulnerability that may be present in applications that use multiple cookies where the name of one cookie is a prefix of the name of another.
- To minimize disruption, cookies in the older format will be accepted
by default until they expire. Applications that may be vulnerable
can reject all cookies in the older format by passing
- Thanks to Joost Pol of Certified Secure for reporting this issue.
- Signed cookies issued by
RequestHandler.set_secure_cookiein Tornado 3.2.1 cannot be read by older releases. If you need to run 3.2.1 in parallel with older releases, you can pass
RequestHandler.set_secure_cookieto issue cookies that are backwards-compatible (but have a known weakness, so this option should only be used for a transitional period).
- The C extension used to speed up the websocket module now compiles correctly on Windows with MSVC and 64-bit mode. The fallback to the pure-Python alternative now works correctly on Mac OS X machines with no C compiler installed.