summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBo Lopker <blopker@23andme.com>2015-05-13 23:22:42 -0700
committerTim Graham <timograham@gmail.com>2015-05-15 11:24:18 -0400
commit3c659856eb9d5a45e02213f1e8f9fcbb03bd12cf (patch)
tree9398a838ae6d54f4e70b13b44ea20fb1645d5744
parent6a0d9f068f9986c8c05e689e67be7bc22c59efc6 (diff)
[1.8.x] Fixed #24799 -- Fixed session cookie deletion when using SESSION_COOKIE_DOMAIN
Backport of 2dee853ed4def42b7ef1b3b472b395055543cc00 from master
-rw-r--r--django/contrib/sessions/middleware.py3
-rw-r--r--docs/releases/1.8.2.txt3
-rw-r--r--tests/sessions_tests/tests.py29
3 files changed, 34 insertions, 1 deletions
diff --git a/django/contrib/sessions/middleware.py b/django/contrib/sessions/middleware.py
index 69ca669033..c21036b124 100644
--- a/django/contrib/sessions/middleware.py
+++ b/django/contrib/sessions/middleware.py
@@ -31,7 +31,8 @@ class SessionMiddleware(object):
# First check if we need to delete this cookie.
# The session should be deleted only if the session is entirely empty
if settings.SESSION_COOKIE_NAME in request.COOKIES and empty:
- response.delete_cookie(settings.SESSION_COOKIE_NAME)
+ response.delete_cookie(settings.SESSION_COOKIE_NAME,
+ domain=settings.SESSION_COOKIE_DOMAIN)
else:
if accessed:
patch_vary_headers(response, ('Cookie',))
diff --git a/docs/releases/1.8.2.txt b/docs/releases/1.8.2.txt
index f14036b51f..3682126aa1 100644
--- a/docs/releases/1.8.2.txt
+++ b/docs/releases/1.8.2.txt
@@ -30,3 +30,6 @@ Bugfixes
* Fixed a MySQL crash when a migration removes a combined index (unique_together
or index_together) containing a foreign key (:ticket:`24757`).
+
+* Fixed session cookie deletion when using :setting:`SESSION_COOKIE_DOMAIN`
+ (:ticket:`24799`).
diff --git a/tests/sessions_tests/tests.py b/tests/sessions_tests/tests.py
index f6c5933da4..d9e6817976 100644
--- a/tests/sessions_tests/tests.py
+++ b/tests/sessions_tests/tests.py
@@ -610,6 +610,35 @@ class SessionMiddlewareTests(TestCase):
str(response.cookies[settings.SESSION_COOKIE_NAME])
)
+ @override_settings(SESSION_COOKIE_DOMAIN='.example.local')
+ def test_session_delete_on_end_with_custom_domain(self):
+ request = RequestFactory().get('/')
+ response = HttpResponse('Session test')
+ middleware = SessionMiddleware()
+
+ # Before deleting, there has to be an existing cookie
+ request.COOKIES[settings.SESSION_COOKIE_NAME] = 'abc'
+
+ # Simulate a request that ends the session
+ middleware.process_request(request)
+ request.session.flush()
+
+ # Handle the response through the middleware
+ response = middleware.process_response(request, response)
+
+ # Check that the cookie was deleted, not recreated.
+ # A deleted cookie header with a custom domain looks like:
+ # Set-Cookie: sessionid=; Domain=.example.local;
+ # expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/
+ self.assertEqual(
+ 'Set-Cookie: {}={}; Domain=.example.local; expires=Thu, '
+ '01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/'.format(
+ settings.SESSION_COOKIE_NAME,
+ '""' if sys.version_info >= (3, 5) else '',
+ ),
+ str(response.cookies[settings.SESSION_COOKIE_NAME])
+ )
+
# Don't need DB flushing for these tests, so can use unittest.TestCase as base class
class CookieSessionTests(SessionTestsMixin, unittest.TestCase):