Opened 10 years ago

Closed 10 years ago

Last modified 8 years ago

#10560 closed Uncategorized (invalid)

with SESSION_COOKIE_DOMAIN = '.localhost' cookie problem (development server)

Reported by: sergey.kish@… Owned by: nobody
Component: HTTP handling Version: 1.0
Severity: Normal Keywords: cookie, localhost, settings
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


I used SESSION_COOKIE_DOMAIN = '.localhost' to share cookie between subdomains and get error "Looks like your browser isn't configured to accept cookies..."

~$ cat /etc/hosts       localhost       london.localhost

But with SESSION_COOKIE_DOMAIN = '' all works good

Ubuntu/8.10 (intrepid) Firefox/3.0.7 Django version 1.0.2 final

Development server is running at

Test project is an empty generated Django project. I only configured db (sqlite3), enabled admin and set SESSION_COOKIE_DOMAIN variable. Server doesn't set cookie, as I understand it is HTTP problem.

Attachments (1) (2.3 KB) - added by 10 years ago.
test project

Download all attachments as: .zip

Change History (5)

Changed 10 years ago by

Attachment: added

test project

comment:1 Changed 10 years ago by Malcolm Tredinnick

Resolution: invalid
Status: newclosed

This isn't a bug in Django. It's a security feature for cookies that every browser implements. There are restrictions on what you can set for a domain so that you can't, for example, set a cookie for all of ".com". Things like the domain must contain two components in most situations (or more sometimes to avoid setting a cookie for all of "").

See here or here for some discussion around this. There aren't any hard and fast standards for cookies (even the RFCs aren't implemented fully), but the browser manufacturers are all converging on the same standards.

We could maybe add a note to the documentation about this for people doing testing, although it's really out of scope for Django (since it's not at all Django-specific; that's just the way the internet works).

comment:2 Changed 8 years ago by cummingscs@…

So this isn't a bug in Django, but I would say that not only should you add that note in documentation but the dev server should either warn or error (invalid config) when .localhost is specified as either the session-cookie or csrf-cookie domain. Yes this is "the way the internet works", but it's easy to not realize this and waste some time thinking that it might/should work.

comment:3 Changed 8 years ago by anonymous

BTW, sorry if that was worded strongly. That was meant along the lines of "how things should functionaly be", not "what you should do for me." It's on my TODO list to supply a patch for this (both an addition to the doc and to raise an InvalidConfig exception when .localhost is given as a session- or csrf-cookie.

comment:4 Changed 8 years ago by Steven Cummings

Severity: Normal
Type: Uncategorized

As promised, patch provided on new ticket #15797.

Note: See TracTickets for help on using tickets.
Back to Top