The signed-value format used by RequestHandler.set_secure_cookie
and RequestHandler.get_secure_cookie has changed to be more secure.
This is a disruptive change. The secure_cookie functions
take new version parameters to support transitions between cookie
formats.
The new cookie format fixes a vulnerability that may be present in
applications that use multiple cookies where the name of one cookie
is a prefix of the name of another.
To minimize disruption, cookies in the older format will be accepted
by default until they expire. Applications that may be vulnerable
can reject all cookies in the older format by passing min_version=2
to RequestHandler.get_secure_cookie.
Thanks to Joost Pol of Certified Secure
for reporting this issue.
Backwards-compatibility notes
Signed cookies issued by RequestHandler.set_secure_cookie in Tornado
3.2.1 cannot be read by older releases. If you need to run 3.2.1
in parallel with older releases, you can pass version=1 to
RequestHandler.set_secure_cookie to issue cookies that are
backwards-compatible (but have a known weakness, so this option
should only be used for a transitional period).
Other changes
The C extension used to speed up the websocket module now compiles
correctly on Windows with MSVC and 64-bit mode. The fallback to
the pure-Python alternative now works correctly on Mac OS X machines
with no C compiler installed.