django.contrib.messages.storage.fallback.CookieStorage does not behave properly with subdomains
|Reported by:||lamby||Owned by:||nobody|
|Cc:||lamby, niels.busch@…||Triage Stage:||Ready for checkin|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Imagine you have two domains "www.example.com" and "special.example.com". Your SESSION_COOKIE_DOMAIN is set to ".example.com" so that users are logged-in across these two subdomains.
The problem arises when a page on "www.example.com" sets a django.contrib.message and redirects to "special.example.com", the user will not see it unless they return to "www.example.com" as the default domain of the cookie is the current one. This naturally causes confusion as actions users have performed in the past suddenly are being confirmed (!).
This happens with FallbackStorage too as it wraps CookieStorage.
Patch attached that sets the domain of the CookieStorage cookie to SESSION_COOKIE_DOMAIN. Whilst this works, it might be better to not couple sessions and messages in this way, so we could alternatively introduce a new setting under a the MESSAGE_STORAGE_ namespace.
Change History (9)
Changed 3 years ago by lamby
comment:2 Changed 3 years ago by adrian
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
comment:3 Changed 3 years ago by lamby
- Resolution fixed deleted
- Status changed from closed to reopened