#26783 closed Bug (fixed)
SessionMiddleware does not correctly delete an empty session cookie when SESSION_COOKIE_PATH is set
Reported by: | Jon Dufresne | Owned by: | nobody |
---|---|---|---|
Component: | contrib.sessions | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
SessionMiddleware
is not passing the SESSION_COOKIE_PATH
to response.delete_cookie()
path
argument. Browsers will not delete the cookie if the path does not match. This fact is acknowledged in Django's documentation.
Due to the way cookies work, path and domain should be the same values you used in set_cookie() – otherwise the cookie may not be deleted.
Link to bug in code:
https://github.com/django/django/blob/9baf692/django/contrib/sessions/middleware.py#L38
Change History (4)
comment:1 by , 8 years ago
Has patch: | set |
---|
comment:2 by , 8 years ago
Triage Stage: | Unreviewed → Ready for checkin |
---|
Note:
See TracTickets
for help on using tickets.
https://github.com/django/django/pull/6811