Opened 2 years ago

Closed 2 years ago

#20085 closed Bug (fixed)

Documentation to describe cross-domain caveat with SESSION_COOKIE_DOMAIN

Reported by: ryanisnan@… Owned by: nobody
Component: contrib.sessions Version: master
Severity: Normal Keywords: session SESSION_COOKIE_DOMAIN documentation
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

I recently ran into an issue with updating SESSION_COOKIE_DOMAIN on a production site.

I went from using the standard domain setting (None, default), to using a cross-domain setting (.example.com). The problem was that existing users who already had established cookies ran into authentication problems as soon as they tried to log in.

It seems that because of the change in the cookie domain, their browsers (noticed in FF 19 and IE 9) failed to update the cookies' domains, which left the client unable to log in, despite everything working on the server. The only current solution I found was to destroy the cookies locally (and via JS for my users).

For now, concerning this ticket, I have submitted a pull request to update the documentation to contain a small note about this caveat: https://github.com/django/django/pull/927

As an aside to this ticket, I chatted with FunkyBob in #django about a potential fix for this. Perhaps the server can be a bit more selective when analyzing incoming cookies from the client, and notice discrepancies in their domain setting. When one is detected, perhaps they can be updated on the client?

Change History (2)

comment:1 Changed 2 years ago by FunkyBob

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

My suggestion was a flag for the sessions middleware to enforce that the session cookie have a matching domain. However, I've not looked yet at how much detail on each cookie is easily available.

In such cases, if possible, solutions would include:
1) deleting the old cookie
2) 'promoting' the old cookie to the current settings
3) ignore the old cookie, and look only at 'correct' ones.

comment:2 Changed 2 years ago by jacob

  • Resolution set to fixed
  • Status changed from new to closed

Fixed in [20661d2].

Note: See TracTickets for help on using tickets.
Back to Top