unable to retrieve tornado secure cookie

Question

for some reason I'm unable to retrieve a secure cookie I've set with tornado. Using firebug I can see the cookie and it's expiration date, but when I try to print or retrieve it, it keeps coming up as None. Is there some way I'm invalidating it that I can't see. This is the code I'm using:

class loginHandler(tornado.web.RequestHandler):
def post(self):
    # first type of request made to this page is a post
    userEmail = self.get_argument("username")
    password = self.get_argument("password")
    deviceType = self.get_argument("deviceType")

    # get some info from the client header
    userIp = self.request.headers['X-Real-Ip']
    userAgentInfo = self.request.headers['User-Agent']

    result = pumpkinsdb.loginUser(userEmail, password, deviceType, userIp, userAgentInfo)
    if result == None:
        self.redirect("/")
    else:
        fullname = pumpkinsdb.pumpkinsdb_user['fullName']
        this_page_title = fullname if fullname else pumpkinsdb.pumpkinsdb_user['userEmail']

        # successful login set up user's cookies
        # self.set_secure_cookie("memberId", str(user['memberId']), expires_days=0.1, secure=True, httponly=True)
        self.set_secure_cookie("memberId", str(pumpkinsdb.pumpkinsdb_user['memberId']))
        self.write(str(self.get_secure_cookie("memberId")))

        time_now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
        print "{} [{}::get] pid[{}] login requested for user: [{}] from [{}] using [{}]".format(
            time_now, self.__class__.__name__, os.getpid(), pumpkinsdb.pumpkinsdb_user['emailAddress'],
            pumpkinsdb.pumpkinsdb_user['userIp'], pumpkinsdb.pumpkinsdb_user['userAgentInfo'])

        self.render('calendar.html', title = this_page_title)

def get(self):
    validSession = self.get_secure_cookie("memberId")
    if validSession:
        this_page_title = pumpkinsdb.pumpkinsdb_user['fullName']
        self.render('calendar.html', title = this_page_title)
    else:
        print self.get_secure_cookie("memberId")
        self.write(str(validSession))

Answer 1

Is your cookie secret changing somehow when you restart the server? If the cookie secret changes, all existing cookies are invalidated. Note that even though the cookie secret should be randomly generated, this doesn't mean you should have something like cookie_secret=os.urandom(16) in your code, because that will generate a new secret every time. Instead, you need to call os.urandom once and save its output somewhere (keep it safe and private, like your TLS keys).

Answer 2

so basically the problem was I had four tornado processes running behind nginx and for each tornado process I generated a unique random string with:

cookie_secret = base64.b64encode(uuid.uuid4().bytes + uuid.uuid4().bytes)

obviously that was my problem because each tornado process had a different secret so when i tried to read it tornado thought it was invalid.

The key is to generate a unique random string but then store it somewhere secure such as in your options:

define(cookie_secret, "934893012jer9834jkkx;#$592920231@@##")

or whatever string you deem fit.

Thank you to everyone that responded. sorry about that.