Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#24799 closed Bug (fixed)

Cookie-backed sessions fail to flush with a custom SESSION_COOKIE_DOMAIN

Reported by: Pindi Albert Owned by: nobody
Component: contrib.sessions Version: 1.8
Severity: Release blocker Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

In Django 1.8, the behavior of SessionStore.flush() was changed according to the release notes to delete the session cookie. However, with a custom SESSION_COOKIE_DOMAIN, the custom domain is included when the cookie is set, but not when it is deleted. This makes browsers ignore the attempted deletion and the cookie remains.

This is fine for database-backed sessions, since the session is also removed from the database, but with cookie-backed sessions the end result is that flush() is a no-op, the worst consequence being users are unable to log out of sites.

Here's an example of Django setting the session cookie on login:

Set-Cookie: sessionid="<redacted>"; Domain=.example.local; expires=Wed, 27-May-2015 22:58:18 GMT; httponly; Max-Age=1209600; Path=/

And here's an example of it attempting but failing to delete it on logout (note the lack of Domain field):

Set-Cookie:sessionid=; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/

Steps to reproduce:

  1. Start a new Django project. Enable the admin.
  2. Add the following settings:
    • SESSION_COOKIE_DOMAIN = '.example.local'
    • SESSION_ENGINE = 'django.contrib.sessions.backends.signed_cookies'
  3. Set up your machine so that "www.example.local" resolves to 127.0.0.1, then access the development server using "www.example.local".
  4. Create a superuser and log into the admin.
  5. Click "Logout" in the admin. While the page says you were logged out, if you go back to "www.example.local/admin" you will still be logged in.

Change History (3)

comment:1 Changed 4 years ago by Tim Graham

Has patch: set
Severity: NormalRelease blocker
Triage Stage: UnreviewedAccepted

comment:2 Changed 4 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: newclosed

In 2dee853:

Fixed #24799 -- Fixed session cookie deletion when using SESSION_COOKIE_DOMAIN

comment:3 Changed 4 years ago by Tim Graham <timograham@…>

In 3c659856:

[1.8.x] Fixed #24799 -- Fixed session cookie deletion when using SESSION_COOKIE_DOMAIN

Backport of 2dee853ed4def42b7ef1b3b472b395055543cc00 from master

Note: See TracTickets for help on using tickets.
Back to Top