Opened 7 years ago
Last modified 7 years ago
#28119 new New feature
Test client cookies do not take into account server hostnames/domains
| Reported by: | Ali Kaafarani | Owned by: | nobody |
|---|---|---|---|
| Component: | Testing framework | Version: | 1.11 |
| Severity: | Normal | Keywords: | test, client, cookie, domain |
| Cc: | Triage Stage: | Someday/Maybe | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
A couple of issues arise in the testing framework when a Django project supports multiple hostnames.
- Cookies received don't set the domain field
- Cookies with a domain field are still included in requests to a different domain than the one in the cookie
Example of domain not being set:
from django.test import Client
client = Client()
# 1. Make a request with explicit SERVER_NAME
response = client.get('/', SERVER_NAME='foo.local')
# 2. Note that response.cookies['csrftoken']['domain'] has no value
Expected result: response.cookies['csrftoken']['domain'] was set to the value of SERVER_NAME (default would be testserver).
Rationale: Browsers do this, according to the specification: https://tools.ietf.org/html/rfc2965 (4.3.1 Interpreting Set-Cookie: Domain Defaults to the request-host)
Example of cookies sent incorrectly to another domain:
from django.test import Client
client = Client()
# 1. Make request with explicit SERVER_NAME, receive `csrftoken` cookie
response = client.get('/', SERVER_NAME='foo.local')
# 2. Note that client.cookies['csrftoken'] now has some value (eg. "123456")
# 3. Set the domain on the cookie
client.cookies['csrftoken']['domain'] = 'bar.local'
# 4. Make request to different domain
response = client.get('/', SERVER_NAME='bar.local')
# 5. Note that client.cookies['csrftoken'] was sent with the request, re-used by the server, and still has the same value (eg. "123456")
Expected result: On step 4, the client does not include the cookie with non-matching domain name.
Rationale: Using SERVER_NAME, the client should simulate browser behaviour by not sending cookies incorrectly to different hostnames.
Change History (5)
comment:1 by , 7 years ago
| Description: | modified (diff) |
|---|---|
| Type: | Uncategorized → New feature |
comment:2 by , 7 years ago
| Description: | modified (diff) |
|---|
comment:3 by , 7 years ago
comment:4 by , 7 years ago
The use case in my project is to test single sign-on functionality. In one case, we need to log the user in on one site but not the other. Then, when the user visits the second site, they should be redirected and automatically authenticated. However, in the test framework, the session cookie will be sent to both sites after authenticating on only one, because the hostnames aren't taken into consideration. So the SSO features cannot be properly tested. I agree that this is probably not a very common use case, and does add some complexity to the simple client.
I would love to put this together in a Client subclass as a proof of concept. I will try to do so when I get the free time (although that may take a while).
comment:5 by , 7 years ago
| Triage Stage: | Unreviewed → Someday/Maybe |
|---|
I'm not sure if we'd want to add this complexity to the test client (which is fairly dumb and simple). Could you elaborate on the use case? Assuming you need the functionality for your own project, perhaps you can show us how complicated it is to implement in a
Clientsubclass.