Opened 3 years ago
Last modified 3 years ago
#33109 closed Bug
Testing of presence of SameSite and Secure cookies doesn't work — at Initial Version
Reported by: | Adrien Carpentier | Owned by: | nobody |
---|---|---|---|
Component: | Testing framework | Version: | 3.1 |
Severity: | Normal | Keywords: | cookies, samesite, secure, test |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
When using the following constants in settings.py
, as Django doc says (https://docs.djangoproject.com/en/3.1/ref/settings/#std:setting-SESSION_COOKIE_SECURE):
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SAMESITE = 'None'
But when testing the presence of SameSite
and Secure
cookies in the responses for , there is no SameSite
neither Secure
cookie keys. Here is a non passing test, for example, for a user agent that should have SameSite
and Secure
cookies:
agent_string = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.2227.0 Safari/537.36"
from django.test import Client
test_client = Client()
res = test_client.get("/", HTTP_USER_AGENT=agent_string)
assert res.cookies.get(self.cookie_key)samesite == "None"
assert res.cookies.get(self.cookie_key)secure
When printing the content of the cookies (print(res.cookies.items())
), the cookie keys are not there.
(Until 3.1 I was adding SameSite
and Secure
cookies in the responses through a custom middleware before Django 3.1, depending on the user agent, with the exact same passing tests. Since Django 3.1, I just removed the custom middleware and added those constants in settings.py
).