Opened 7 months ago

Last modified 7 months ago

#28119 new New feature

Test client cookies do not take into account server hostnames/domains

Reported by: Ali Kaafarani Owned by: nobody
Component: Testing framework Version: 1.11
Severity: Normal Keywords: test, client, cookie, domain
Cc: Triage Stage: Someday/Maybe
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Ali Kaafarani)

A couple of issues arise in the testing framework when a Django project supports multiple hostnames.

  1. Cookies received don't set the domain field
  2. Cookies with a domain field are still included in requests to a different domain than the one in the cookie

Example of domain not being set:

from django.test import Client
client = Client()

# 1. Make a request with explicit SERVER_NAME
response = client.get('/', SERVER_NAME='foo.local')

# 2. Note that response.cookies['csrftoken']['domain'] has no value

Expected result: response.cookies['csrftoken']['domain'] was set to the value of SERVER_NAME (default would be testserver).
Rationale: Browsers do this, according to the specification: https://tools.ietf.org/html/rfc2965 (4.3.1 Interpreting Set-Cookie: Domain Defaults to the request-host)

Example of cookies sent incorrectly to another domain:

from django.test import Client
client = Client()

# 1. Make request with explicit SERVER_NAME, receive `csrftoken` cookie
response = client.get('/', SERVER_NAME='foo.local')

# 2. Note that client.cookies['csrftoken'] now has some value (eg. "123456")

# 3. Set the domain on the cookie
client.cookies['csrftoken']['domain'] = 'bar.local'

# 4. Make request to different domain
response = client.get('/', SERVER_NAME='bar.local')

# 5. Note that client.cookies['csrftoken'] was sent with the request, re-used by the server, and still has the same value (eg. "123456")

Expected result: On step 4, the client does not include the cookie with non-matching domain name.
Rationale: Using SERVER_NAME, the client should simulate browser behaviour by not sending cookies incorrectly to different hostnames.

Change History (5)

comment:1 Changed 7 months ago by Ali Kaafarani

Description: modified (diff)
Type: UncategorizedNew feature

comment:2 Changed 7 months ago by Ali Kaafarani

Description: modified (diff)

comment:3 Changed 7 months ago by Tim Graham

I'm not sure if we'd want to add this complexity to the test client (which is fairly dumb and simple). Could you elaborate on the use case? Assuming you need the functionality for your own project, perhaps you can show us how complicated it is to implement in a Client subclass.

comment:4 Changed 7 months ago by Ali Kaafarani

The use case in my project is to test single sign-on functionality. In one case, we need to log the user in on one site but not the other. Then, when the user visits the second site, they should be redirected and automatically authenticated. However, in the test framework, the session cookie will be sent to both sites after authenticating on only one, because the hostnames aren't taken into consideration. So the SSO features cannot be properly tested. I agree that this is probably not a very common use case, and does add some complexity to the simple client.

I would love to put this together in a Client subclass as a proof of concept. I will try to do so when I get the free time (although that may take a while).

comment:5 Changed 7 months ago by Tim Graham

Triage Stage: UnreviewedSomeday/Maybe
Note: See TracTickets for help on using tickets.
Back to Top