#10560 closed Uncategorized (invalid)
with SESSION_COOKIE_DOMAIN = '.localhost' cookie problem (development server)
Reported by: | Owned by: | nobody | |
---|---|---|---|
Component: | HTTP handling | Version: | 1.0 |
Severity: | Normal | Keywords: | cookie, localhost, settings |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
I used SESSION_COOKIE_DOMAIN = '.localhost' to share cookie between subdomains and get error "Looks like your browser isn't configured to accept cookies..."
~$ cat /etc/hosts 127.0.0.1 localhost 127.0.0.1 london.localhost 127.0.0.1 beatsimple.com 127.0.0.1 london.beatsimple.com
But with SESSION_COOKIE_DOMAIN = '.beatsimple.com' all works good
Ubuntu/8.10 (intrepid) Firefox/3.0.7 Django version 1.0.2 final
Development server is running at http://127.0.0.1:8000/
Test project is an empty generated Django project. I only configured db (sqlite3), enabled admin and set SESSION_COOKIE_DOMAIN variable. Server doesn't set cookie, as I understand it is HTTP problem.
Attachments (1)
Change History (5)
by , 16 years ago
Attachment: | testcookie.zip added |
---|
comment:1 by , 16 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
This isn't a bug in Django. It's a security feature for cookies that every browser implements. There are restrictions on what you can set for a domain so that you can't, for example, set a cookie for all of ".com". Things like the domain must contain two components in most situations (or more sometimes to avoid setting a cookie for all of ".com.au").
See here or here for some discussion around this. There aren't any hard and fast standards for cookies (even the RFCs aren't implemented fully), but the browser manufacturers are all converging on the same standards.
We could maybe add a note to the documentation about this for people doing testing, although it's really out of scope for Django (since it's not at all Django-specific; that's just the way the internet works).
comment:2 by , 14 years ago
So this isn't a bug in Django, but I would say that not only should you add that note in documentation but the dev server should either warn or error (invalid config) when .localhost is specified as either the session-cookie or csrf-cookie domain. Yes this is "the way the internet works", but it's easy to not realize this and waste some time thinking that it might/should work.
comment:3 by , 14 years ago
BTW, sorry if that was worded strongly. That was meant along the lines of "how things should functionaly be", not "what you should do for me." It's on my TODO list to supply a patch for this (both an addition to the doc and to raise an InvalidConfig exception when .localhost is given as a session- or csrf-cookie.
comment:4 by , 14 years ago
Severity: | → Normal |
---|---|
Type: | → Uncategorized |
As promised, patch provided on new ticket #15797.
test project