Opened 3 years ago

Closed 3 years ago

#33109 closed Bug (needsinfo)

Testing the presence of SameSite and Secure cookies doesn't work

Reported by: Adrien Carpentier Owned by: nobody
Component: Testing framework Version: 3.1
Severity: Normal Keywords: cookies, samesite, secure, test
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Adrien Carpentier)

When using the following constants in settings.py, as Django doc says (https://docs.djangoproject.com/en/3.1/ref/settings/#std:setting-SESSION_COOKIE_SECURE):

CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SAMESITE = 'None'

...and then when testing the presence of SameSite and Secure cookies in the responses, there is no SameSite neither Secure cookie keys.
Here is a non passing test, for example, for a user agent that should have SameSite and Secure cookies:

agent_string = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.2227.0 Safari/537.36"
from django.test import Client
test_client = Client()
res = test_client.get("/", HTTP_USER_AGENT=agent_string)
assert res.cookies.get(self.cookie_key)["samesite"] == "None"
assert res.cookies.get(self.cookie_key)["secure"]

When printing the content of the cookies (print(res.cookies.items())), the cookie keys are not there.

Note: When adding SameSite and Secure cookies in the responses through a custom middleware instead of the 3.1 setting, the tests are passing.

Change History (7)

comment:1 by Adrien Carpentier, 3 years ago

Description: modified (diff)

comment:2 by Adrien Carpentier, 3 years ago

Description: modified (diff)

comment:3 by Adrien Carpentier, 3 years ago

Summary: Testing of presence of SameSite and Secure cookies doesn't workTesting the presence of SameSite and Secure cookies doesn't work

comment:4 by Adrien Carpentier, 3 years ago

Description: modified (diff)

comment:5 by Adrien Carpentier, 3 years ago

Description: modified (diff)

comment:6 by Tim Graham, 3 years ago

Have you debugged this to confirm that Django is at fault, and if so, where?

comment:7 by Mariusz Felisiak, 3 years ago

Component: HTTP handlingTesting framework
Resolution: needsinfo
Status: newclosed

Thanks for the ticket, however I cannot reproduce this issue. Please reopen the ticket if you can debug your issue and provide a sample project.

Note: See TracTickets for help on using tickets.
Back to Top