Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#26783 closed Bug (fixed)

SessionMiddleware does not correctly delete an empty session cookie when SESSION_COOKIE_PATH is set

Reported by: Jon Dufresne Owned by: nobody
Component: contrib.sessions Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

SessionMiddleware is not passing the SESSION_COOKIE_PATH to response.delete_cookie() path argument. Browsers will not delete the cookie if the path does not match. This fact is acknowledged in Django's documentation.

Due to the way cookies work, path and domain should be the same values you used in set_cookie() – otherwise the cookie may not be deleted.

Link to bug in code:

https://github.com/django/django/blob/9baf692/django/contrib/sessions/middleware.py#L38

Change History (4)

comment:2 by Tim Graham, 8 years ago

Triage Stage: UnreviewedReady for checkin

comment:3 by Tim Graham <timograham@…>, 8 years ago

Resolution: fixed
Status: newclosed

In d13881bd:

Fixed #26783 -- Fixed SessionMiddleware's empty cookie deletion when using SESSION_COOKIE_PATH.

comment:4 by Tim Graham <timograham@…>, 8 years ago

In e725a68b:

[1.10.x] Fixed #26783 -- Fixed SessionMiddleware's empty cookie deletion when using SESSION_COOKIE_PATH.

Backport of d13881bd34ff8f76b902ef5256001341d60b3161 from master

Note: See TracTickets for help on using tickets.
Back to Top