Opened 4 years ago

Closed 4 years ago

#28989 closed New feature (fixed)

Allow deleting cookies using restricted cookie prefixes

Reported by: Alvin Lindstam Owned by: nobody
Component: HTTP handling Version: 2.0
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


When using a cookie name with a cookie prefix such as __Secure- or __Host-, modern browsers (all except Internet Explorer) ignore the Set-Cookie-header if it does not use the secure flag and otherwise match the prefix's requirements.

Django's response.delete_cookie method always results in a Set-Cookie-header without the secure flag, which means that it can't delete those cookies.

It should be possible to delete those cookies, and the prefixes should be possible to use as SESSION_COOKIE_NAME (they are currently not deleted when the session is emptied).

Change History (3)

comment:1 Changed 4 years ago by Alvin Lindstam

Has patch: set

comment:2 Changed 4 years ago by Tim Graham

Component: UncategorizedHTTP handling
Triage Stage: UnreviewedAccepted
Type: UncategorizedNew feature

comment:3 Changed 4 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: assignedclosed

In 47a99d70:

Fixed #28989 -- Fixed HttpResponse.delete_cookie() for cookies that use Secure/Host prefixes.

Note: See TracTickets for help on using tickets.
Back to Top