django.contrib.messages.storage.fallback.CookieStorage does not behave properly with subdomains
|Reported by:||Chris Lamb||Owned by:||nobody|
|Cc:||Chris Lamb, niels.busch@…||Triage Stage:||Ready for checkin|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Imagine you have two domains "www.example.com" and "special.example.com". Your
SESSION_COOKIE_DOMAIN is set to ".example.com" so that users are logged-in across these two subdomains.
The problem arises when a page on "www.example.com" sets a
django.contrib.message and redirects to "special.example.com", the user will not see it unless they return to "www.example.com" as the default domain of the cookie is the current one. This naturally causes confusion as actions users have performed in the past suddenly are being confirmed (!).
This happens with
FallbackStorage too as it wraps
Patch attached that sets the domain of the CookieStorage cookie to SESSION_COOKIE_DOMAIN. Whilst this works, it might be better to not couple
messages in this way, so we could alternatively introduce a new setting under a the
Change History (9)
comment:2 Changed 6 years ago by
|Patch needs improvement:||unset|