Code

#20085 closed Bug (fixed)

Documentation to describe cross-domain caveat with SESSION_COOKIE_DOMAIN

Reported by: ryanisnan@… Owned by: nobody
Component: contrib.sessions Version: master
Severity: Normal Keywords: session SESSION_COOKIE_DOMAIN documentation
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

I recently ran into an issue with updating SESSION_COOKIE_DOMAIN on a production site.

I went from using the standard domain setting (None, default), to using a cross-domain setting (.example.com). The problem was that existing users who already had established cookies ran into authentication problems as soon as they tried to log in.

It seems that because of the change in the cookie domain, their browsers (noticed in FF 19 and IE 9) failed to update the cookies' domains, which left the client unable to log in, despite everything working on the server. The only current solution I found was to destroy the cookies locally (and via JS for my users).

For now, concerning this ticket, I have submitted a pull request to update the documentation to contain a small note about this caveat: https://github.com/django/django/pull/927

As an aside to this ticket, I chatted with FunkyBob in #django about a potential fix for this. Perhaps the server can be a bit more selective when analyzing incoming cookies from the client, and notice discrepancies in their domain setting. When one is detected, perhaps they can be updated on the client?

Attachments (0)

Change History (2)

comment:1 Changed 16 months ago by FunkyBob

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

My suggestion was a flag for the sessions middleware to enforce that the session cookie have a matching domain. However, I've not looked yet at how much detail on each cookie is easily available.

In such cases, if possible, solutions would include:
1) deleting the old cookie
2) 'promoting' the old cookie to the current settings
3) ignore the old cookie, and look only at 'correct' ones.

comment:2 Changed 16 months ago by jacob

  • Resolution set to fixed
  • Status changed from new to closed

Fixed in [20661d2].

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.