id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
15618	django.contrib.messages.storage.fallback.CookieStorage does not behave properly with subdomains	Chris Lamb	nobody	"Imagine you have two domains ""www.example.com"" and ""special.example.com"". Your `SESSION_COOKIE_DOMAIN` is set to "".example.com"" so that users are logged-in across these two subdomains.

The problem arises when a page on ""www.example.com"" sets a `django.contrib.message` and redirects to ""special.example.com"", the user will not see it unless they return to ""www.example.com"" as the default domain of the cookie is the current one. This naturally causes confusion as actions users have performed in the past suddenly are being confirmed (!).

This happens with `FallbackStorage` too as it wraps `CookieStorage`.

Patch attached that sets the domain of the CookieStorage cookie to SESSION_COOKIE_DOMAIN. Whilst this works, it might be better to not couple `sessions` and `messages` in this way, so we could alternatively introduce a new setting under a the `MESSAGE_STORAGE_` namespace."		closed	Contrib apps	1.2		fixed		Chris Lamb niels.busch@…	Ready for checkin	1	0	0	0	0	0