#26783 closed Bug (fixed)
SessionMiddleware does not correctly delete an empty session cookie when SESSION_COOKIE_PATH is set
| Reported by: | Jon Dufresne | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.sessions | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
SessionMiddleware is not passing the SESSION_COOKIE_PATH to response.delete_cookie() path argument. Browsers will not delete the cookie if the path does not match. This fact is acknowledged in Django's documentation.
Due to the way cookies work, path and domain should be the same values you used in set_cookie() – otherwise the cookie may not be deleted.
Link to bug in code:
https://github.com/django/django/blob/9baf692/django/contrib/sessions/middleware.py#L38
Change History (4)
comment:1 by , 9 years ago
| Has patch: | set |
|---|
comment:2 by , 9 years ago
| Triage Stage: | Unreviewed → Ready for checkin |
|---|
Note:
See TracTickets
for help on using tickets.
https://github.com/django/django/pull/6811