Include cookie name in signature so that a value signed for use in one

cookie can't be used in another.  Note that this invalidates all existing
signed cookies.

diff --git a/tornado/web.py b/tornado/web.py
index bd8a6b690e9a0bdad063ebd31ce6206411369a12..47dc34486dfff35179a39b3b0ba9733bedb6c882 100644 (file)
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -262,7 +262,7 @@ class RequestHandler(object):
         """
         timestamp = str(int(time.time()))
         value = base64.b64encode(value)
-        signature = self._cookie_signature(value, timestamp)
+        signature = self._cookie_signature(name, value, timestamp)
         value = "|".join([value, timestamp, signature])
         self.set_cookie(name, value, expires_days=expires_days, **kwargs)
 
@@ -273,7 +273,7 @@ class RequestHandler(object):
         parts = value.split("|")
         if len(parts) != 3: return None
         if not _time_independent_equals(parts[2],
-                    self._cookie_signature(parts[0], parts[1])):
+                    self._cookie_signature(name, parts[0], parts[1])):
             logging.warning("Invalid cookie signature %r", value)
             return None
         timestamp = int(parts[1])