Opened 8 years ago
Last modified 8 years ago
#28119 new New feature
Test client cookies do not take into account server hostnames/domains — at Version 1
| Reported by: | Ali Kaafarani | Owned by: | nobody |
|---|---|---|---|
| Component: | Testing framework | Version: | 1.11 |
| Severity: | Normal | Keywords: | test, client, cookie, domain |
| Cc: | Triage Stage: | Someday/Maybe | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
| Pull Requests: | How to create a pull request | ||
Description (last modified by ) ¶
A couple of issues arise in the testing framework when a Django project supports multiple hostnames.
- Cookies received don't set the domain field
- Cookies with a domain field are still included in requests to a different domain than the one in the cookie
Example of domain not being set: ¶
from django.test import Client
client = Client()
# 1. Make a request with explicit SERVER_NAME
response = client.get('/', SERVER_NAME='foo.local')
# 2. Note that response.cookies['csrftoken']['domain'] has no value
Expected result: response.cookies['csrftoken']['domain'] was set to the value of SERVER_NAME (default would be testserver).
Rationale: Browsers do this, according to the specification: https://tools.ietf.org/html/rfc2965 (4.3.1 Interpreting Set-Cookie: Domain Defaults to the request-host)
---
Example of cookies sent incorrectly to another domain: ¶
from django.test import Client
client = Client()
# 1. Make request with explicit SERVER_NAME, receive `csrftoken` cookie
response = client.get('/', SERVER_NAME='foo.local')
# 2. Note that client.cookies['csrftoken'] now has some value (eg. "123456")
# 3. Set the domain on the cookie
client.cookies['csrftoken']['domain'] = 'bar.local'
# 4. Make request to different domain
response = client.get('/', SERVER_NAME='bar.local')
# 5. Note that client.cookies['csrftoken'] was sent with the request, re-used by the server, and still has the same value (eg. "123456")
Expected result: On step 4, the client does not include the cookie with non-matching domain name.
Rationale: Using SERVER_NAME, the client should simulate browser behaviour by not sending cookies incorrectly to different hostnames.
According to the ticket's flags, the next step(s) to move this issue forward are:
Unknown. The Someday/Maybe triage stage is used to keep track of high-level ideas or long term feature requests.
It could be an issue that's blocked until a future version of Django (if so, Keywords will contain that version number). It could also be an enhancement request that we might consider adding someday to the framework if an excellent patch is submitted.
If you're interested in contributing to the issue, raising your ideas on the Django Forum would be a great place to start.
Change History (1)
comment:1 by , 8 years ago
| Description: | modified (diff) |
|---|---|
| Type: | Uncategorized → New feature |