How do I reach cookie information in python requests?

Question

I am trying to write a small script that will allow me to see information related to the cookies set by my website.

I want to know if it has secure or httpOnly flags set on them. But so far I wasn't able to do it, I only figured out how to get cookie names and values. Here is my current code:

r = requests.post('url', data=data, headers=headers)

for (name, cookie) in r.cookies.items():
    print name, cookie

So far this works fine, but I want to get information related to the cookies, not the value itself. Cookie meta-data if you will.

How can I achieve that?

Answer 1

You can extract the information from each cookie individually:

import requests

r = requests.post('http://www.about.com')

for cookie in r.cookies:
    print(cookie.__dict__)
    print(cookie.secure)

This is because r.cookies is an instance of RequestsCookieJar which extends from CookieJar (Python 2: cookielib.CookieJar, Python 3: http.cookiejar.CookieJar). A CookieJar has Cookie objects.

References:

• cookielib: https://docs.python.org/2.7/library/cookielib.html
• cookielib.Cookie.secure: https://docs.python.org/2.7/library/cookielib.html#cookielib.Cookie.secure
• https://stackoverflow.com/a/27523891/295246

Update: I have not found a way to retrieve the httponly value from a Cookie object. In Python 3, you can define a Morsel object via a dictionary, and it considers httponly to be a standard attribute of a cookie (https://docs.python.org/3/library/http.cookies.html), but I couldn't find any reference to httponly in the defining specification RFC2109 (https://www.ietf.org/rfc/rfc2109.txt).

That said, if httponly is in fact a non-standard attribute, then you can use the following to check if a cookie has it: cookie.has_nonstandard_attr('httponly')

Answer 2

Under Python 3, I was not able to retrieve the httpOnly flag from the following:

cookie.get_nonstandard_attr('httpOnly')

and

cookie.has_nonstandard_attr('httpOnly')

returned False even if the httpOnly flag was included with the cookie.

This didn't work with any of the variations of httponly, HttpOnly, etc. either.

Using @HEADLESS_0NE's post, I found you can retrieve the flag by looking at the _rest field in cookie.__dict__. If httpOnly is included in the cookie,

cookie.__dict__['_rest']

will return something like this:

{'HttpOnly': None, ...}

Thus, here is a small helper function to check if a cookie has the httpOnly flag.

def has_http_only(cookie):
    extra_args = cookie.__dict__.get('_rest')
    if extra_args:
        for key in extra_args.keys():
            if key.lower() == 'httponly':
                return True

    return False

The secure flag is automatically added to the cookie object and can be retrieved using cookie.secure.