Opened 6 years ago
Closed 6 years ago
#28989 closed New feature (fixed)
Allow deleting cookies using restricted cookie prefixes
| Reported by: | Alvin Lindstam | Owned by: | nobody |
|---|---|---|---|
| Component: | HTTP handling | Version: | 2.0 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
When using a cookie name with a cookie prefix such as __Secure- or __Host-, modern browsers (all except Internet Explorer) ignore the Set-Cookie-header if it does not use the secure flag and otherwise match the prefix's requirements.
Django's response.delete_cookie method always results in a Set-Cookie-header without the secure flag, which means that it can't delete those cookies.
It should be possible to delete those cookies, and the prefixes should be possible to use as SESSION_COOKIE_NAME (they are currently not deleted when the session is emptied).
Change History (3)
comment:1 by , 6 years ago
| Has patch: | set |
|---|
comment:2 by , 6 years ago
| Component: | Uncategorized → HTTP handling |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
| Type: | Uncategorized → New feature |
Note:
See TracTickets
for help on using tickets.
PR