diff options
| author | Jon Dufresne <jon.dufresne@gmail.com> | 2016-06-21 08:03:25 -0700 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-06-21 11:03:40 -0400 |
| commit | e725a68bcce4106fa3e1e8ecb0145ddef03d9005 (patch) | |
| tree | 89e03a2f84710c7afe63d426f65a6ba0d690206c | |
| parent | b1592dd73b47d81e8a8f5e585827fccde015c7c2 (diff) | |
[1.10.x] Fixed #26783 -- Fixed SessionMiddleware's empty cookie deletion when using SESSION_COOKIE_PATH.
Backport of d13881bd34ff8f76b902ef5256001341d60b3161 from master
| -rw-r--r-- | django/contrib/sessions/middleware.py | 6 | ||||
| -rw-r--r-- | tests/sessions_tests/tests.py | 11 |
2 files changed, 11 insertions, 6 deletions
diff --git a/django/contrib/sessions/middleware.py b/django/contrib/sessions/middleware.py index 4871b48075..5aaff43426 100644 --- a/django/contrib/sessions/middleware.py +++ b/django/contrib/sessions/middleware.py @@ -35,7 +35,11 @@ class SessionMiddleware(MiddlewareMixin): # First check if we need to delete this cookie. # The session should be deleted only if the session is entirely empty if settings.SESSION_COOKIE_NAME in request.COOKIES and empty: - response.delete_cookie(settings.SESSION_COOKIE_NAME, domain=settings.SESSION_COOKIE_DOMAIN) + response.delete_cookie( + settings.SESSION_COOKIE_NAME, + path=settings.SESSION_COOKIE_PATH, + domain=settings.SESSION_COOKIE_DOMAIN, + ) else: if accessed: patch_vary_headers(response, ('Cookie',)) diff --git a/tests/sessions_tests/tests.py b/tests/sessions_tests/tests.py index 3975d57c4c..dbba1235b5 100644 --- a/tests/sessions_tests/tests.py +++ b/tests/sessions_tests/tests.py @@ -746,8 +746,8 @@ class SessionMiddlewareTests(TestCase): str(response.cookies[settings.SESSION_COOKIE_NAME]) ) - @override_settings(SESSION_COOKIE_DOMAIN='.example.local') - def test_session_delete_on_end_with_custom_domain(self): + @override_settings(SESSION_COOKIE_DOMAIN='.example.local', SESSION_COOKIE_PATH='/example/') + def test_session_delete_on_end_with_custom_domain_and_path(self): request = RequestFactory().get('/') response = HttpResponse('Session test') middleware = SessionMiddleware() @@ -763,12 +763,13 @@ class SessionMiddlewareTests(TestCase): response = middleware.process_response(request, response) # Check that the cookie was deleted, not recreated. - # A deleted cookie header with a custom domain looks like: + # A deleted cookie header with a custom domain and path looks like: # Set-Cookie: sessionid=; Domain=.example.local; - # expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/ + # expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; + # Path=/example/ self.assertEqual( 'Set-Cookie: {}={}; Domain=.example.local; expires=Thu, ' - '01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/'.format( + '01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/example/'.format( settings.SESSION_COOKIE_NAME, '""' if sys.version_info >= (3, 5) else '', ), |
