Session cookie expiration isn't locale-safe

[lyrixderaven]

The _set_cookie_expires(self,expires) functionality doesn't account for applications that have changed the globale locale:

self.cookie[self.key]['expires'] = expires_date.strftime("%a, %d-%b-%Y %H:%M:%S GMT")

produces output similar to 'Do, 16-Mai-2019 09:59:46 GMT' with a global locale setting of de_DE.UTF-8. This is quite problematic, since most browsers will ignore the expiration setting then, leading to all kinds of uninentended consequences.

One solution might be to use a thread-safe context manager to force the locale for the date conversion to be en_US.UTF-8 or similar (see https://stackoverflow.com/a/24070673/846274 for an example that should work in this case).

Is there any reason why this function should honor the global application locale at all?

[amol-]

No, it should ignore the global locale setting. I think it was just an old bug because the software was developed in the US and most people keep their servers in EN + UTC configuration.

Most frameworks provide their own implementation of HTTP dates formatting, beaker should probably do the same:

werkzeug: https://github.com/pallets/werkzeug/blob/d824659abe95ed31b1f9c355f88c4741da5a6e5f/src/werkzeug/http.py#L812-L843 webob: https://github.com/Pylons/webob/blob/741b3d6c9750ba30ba6fd7bc61d66d9f9febe75b/src/webob/cookies.py#L257-L274

[lyrixderaven]

Awesome, thanks for the rapid response and fix!

Is there a release schedule that let's me see when this fix will likely be versioned into a release?