summaryrefslogtreecommitdiff
path: root/django
diff options
context:
space:
mode:
authorAlvin Lindstam <alvin.lindstam@gmail.com>2018-01-04 18:53:35 +0100
committerTim Graham <timograham@gmail.com>2018-01-08 12:32:47 -0500
commit47a99d701277f6ec98e6fd220feb9c8a1e66718e (patch)
tree67b70e5c4aa3847dca46031ecc882c8959b8580f /django
parent8e94f9f7dd515e49621b4a8395077a0cd2ab4c78 (diff)
Fixed #28989 -- Fixed HttpResponse.delete_cookie() for cookies that use __Secure/Host prefixes.
Diffstat (limited to 'django')
-rw-r--r--django/http/response.py9
1 files changed, 7 insertions, 2 deletions
diff --git a/django/http/response.py b/django/http/response.py
index 76d731d53f..b6f29cc056 100644
--- a/django/http/response.py
+++ b/django/http/response.py
@@ -205,8 +205,13 @@ class HttpResponseBase:
return self.set_cookie(key, value, **kwargs)
def delete_cookie(self, key, path='/', domain=None):
- self.set_cookie(key, max_age=0, path=path, domain=domain,
- expires='Thu, 01 Jan 1970 00:00:00 GMT')
+ # Most browsers ignore the Set-Cookie header if the cookie name starts
+ # with __Host- or __Secure- and the cookie doesn't use the secure flag.
+ secure = key.startswith(('__Secure-', '__Host-'))
+ self.set_cookie(
+ key, max_age=0, path=path, domain=domain, secure=secure,
+ expires='Thu, 01 Jan 1970 00:00:00 GMT',
+ )
# Common methods used by subclasses