The cookielib module uses time.time(), which produces a timestamp in the local timezone (as read from the system time?), as the timestamp against which expiration dates in cookies are compared.

However, typical usage of HTTP cookies would be specifying the expiration date in UTC. This assumption seems to be supported for example by the inclusion of cookielib.http2time, which (only) supports UTC timestamps.

This behaviour is also included in e.g. MozillaCookieJar, which (erroneously) excludes cookies from being saved/loaded based on the local timestamp from time.time().

See the attached file for a small example where the check if a cookie is expired against a UTC time is correct but the check against local time fails (simulating the behaviour of the cookielib module).

If you have not, please check if this issue applies to 3.4, and post a 3.4 version of the test file.

In the absence of a standard, I am not sure if this is a bug, and even if we call it such, whether 2.7 should be changed.

I've checked and an updated test file for 3.4 shows the same behaviour in the renamed module http.cookiejar.

Even though no standard exists I hope 3.4+ would be changed to simplify the cookie handling, since there is a lot of hassle converting UTC times to local times (which in general should be avoided to avoid introducing further problems with e.g. daylight savings).

time.time() returns the current time in seconds since Epoch
it is neither local nor UTC time. It can be converted to both.

You can get local time using datetime.fromtimestamp(ts).
You can get UTC time using datetime.utcfromtimestamp(ts) or
to get an aware datetime object: datetime.fromtimestamp(ts, timezone.utc), where ts is the timestamp in seconds since Epoch.

I don't know whether there is an issue with cookie.is_expired() but it
is incorrect to use time.mktime() with UTC time tuple unless the local
time is UTC. To get the timestamp from a datetime object, you could
use .timestamp() method instead:

  from datetime import datetime, timezone

  now = datetime.now(timezone.utc) # the current time
  seconds_since_epoch = now.timestamp()
  seconds_since_epoch = time.time() # might be less precise

Note the .timestamp() method will work correctly if the datetime object is expressed in *local time*, which is not what Rebecka's code uses. Otherwise the incantation is a bit more complex:

https://docs.python.org/3/library/datetime.html#datetime.datetime.timestamp

(also .timestamp() doesn't exist in 2.7, in which case the manual computation must also be used)

timestamp() method works correctly for an aware datetime objects
as in my example (notice: timezone.utc in the code).

The issue is not that it is a manual computation,
the issue is that it is incorrect:

  #XXX WRONG, DO NOT DO IT
  time.mktime(datetime.datetime.utcnow().timetuple())

On older Python versions, given a utc time as a naive datetime
object, POSIX timestamp is:

  ts = (utc_dt - datetime(1970, 1, 1)).total_seconds()
  utc_dt = datetime(1970, 1, 1) + timedelta(seconds=ts) # in reverse

The last example assumes that time.gmtime(0) is 1970-01-01 00:00:00Z
(otherwise time.time() may return different timestamp)

Akira is correct: using time.mktime to produce the expiration date for the cookie is wrong (thank you very much for the pointers!).

Using e.g. http.cookiejar.http2time with a HTTP formatted date string gives a correct time stamp (with which cookie.is_expired succeeds), so this was not a bug (just user error...).