Paul McMillan writes:
> Yes, SimpleCookie is known to be an unpickleable class. We shouldn't
> be directly pickling it anywhere in Django. In your code, you should
> probably turn the cookie into a string before caching it. I'm not
> clear if the bug you're experiencing is happening in Django's code or
> something your application is doing directly with SimpleCookie.
> I think that your provided test case is trying to do something that is
> explicitly not supported, but I'm unclear on whether or not there is
> an issue in Django-provided code. Could you provide a little more
I am not trying to pickle SimpleCookie directly -- in fact, I enabled
the cache middlewares in settings.py and then set CACHE_BACKEND to
I then had a view with no specific cache decorators, but since the
session backend is also on it added the `Vary: Cookie' header.
After that, I started noticing that a login page including the
`csrf_token' tag started repeating the token when I used curl to access
it without providing any cookies or login credentials. And after the
first time I accessed it, the Set-Cookie header started misbehaving like
it did in the test case I attached -- instead of looking like
Set-Cookie: foo=bar; other-parameters;
it was looking like
Set-Cookie: foo="Set-Cookie: foo=bar; other-parameters;"
and the value in the csrf tag was being expanded to something along the
lines of "Set-Cookie: foo=bar; other-parameters;", so validation failed
Some investigation led me to find the problem in the cache backend I was
using, as the cookies inside the cached HttpResponse were being
serialized incorrectly and later picked by FetchFromCacheMiddleware.
Raphael Kubo da Costa
ProFUSION embedded systems
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to
To unsubscribe from this group, send email to
For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.