Opened 6 years ago

Closed 6 years ago

Last modified 4 years ago

#10560 closed Uncategorized (invalid)

with SESSION_COOKIE_DOMAIN = '.localhost' cookie problem (development server)

Reported by: sergey.kish@… Owned by: nobody
Component: HTTP handling Version: 1.0
Severity: Normal Keywords: cookie, localhost, settings
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

I used SESSION_COOKIE_DOMAIN = '.localhost' to share cookie between subdomains and get error "Looks like your browser isn't configured to accept cookies..."

~$ cat /etc/hosts
127.0.0.1       localhost
127.0.0.1       london.localhost
127.0.0.1       beatsimple.com
127.0.0.1       london.beatsimple.com

But with SESSION_COOKIE_DOMAIN = '.beatsimple.com' all works good

Ubuntu/8.10 (intrepid) Firefox/3.0.7 Django version 1.0.2 final

Development server is running at http://127.0.0.1:8000/

Test project is an empty generated Django project. I only configured db (sqlite3), enabled admin and set SESSION_COOKIE_DOMAIN variable. Server doesn't set cookie, as I understand it is HTTP problem.

Attachments (1)

testcookie.zip (2.3 KB) - added by sergeykish.com/ 6 years ago.
test project

Download all attachments as: .zip

Change History (5)

Changed 6 years ago by sergeykish.com/

test project

comment:1 Changed 6 years ago by mtredinnick

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to invalid
  • Status changed from new to closed

This isn't a bug in Django. It's a security feature for cookies that every browser implements. There are restrictions on what you can set for a domain so that you can't, for example, set a cookie for all of ".com". Things like the domain must contain two components in most situations (or more sometimes to avoid setting a cookie for all of ".com.au").

See here or here for some discussion around this. There aren't any hard and fast standards for cookies (even the RFCs aren't implemented fully), but the browser manufacturers are all converging on the same standards.

We could maybe add a note to the documentation about this for people doing testing, although it's really out of scope for Django (since it's not at all Django-specific; that's just the way the internet works).

comment:2 Changed 4 years ago by cummingscs@…

So this isn't a bug in Django, but I would say that not only should you add that note in documentation but the dev server should either warn or error (invalid config) when .localhost is specified as either the session-cookie or csrf-cookie domain. Yes this is "the way the internet works", but it's easy to not realize this and waste some time thinking that it might/should work.

comment:3 Changed 4 years ago by anonymous

BTW, sorry if that was worded strongly. That was meant along the lines of "how things should functionaly be", not "what you should do for me." It's on my TODO list to supply a patch for this (both an addition to the doc and to raise an InvalidConfig exception when .localhost is given as a session- or csrf-cookie.

comment:4 Changed 4 years ago by estebistec

  • Severity set to Normal
  • Type set to Uncategorized

As promised, patch provided on new ticket #15797.

Note: See TracTickets for help on using tickets.
Back to Top