#26783: SessionMiddleware does not correctly delete an empty session cookie when
SESSION_COOKIE_PATH is set
----------------------------------+--------------------
Reporter: jdufresne | Owner: nobody
Type: Bug | Status: new
Component: contrib.sessions | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
----------------------------------+--------------------
`SessionMiddleware` is not passing the `SESSION_COOKIE_PATH` to
`response.delete_cookie()` `path` argument. Browsers will not delete the
cookie if the path does not match. This fact is acknowledged in
[https://docs.djangoproject.com/en/dev/ref/request-
response/#django.http.HttpResponse.delete_cookie Django's documentation].
> Due to the way cookies work, path and domain should be the same values
you used in set_cookie() – otherwise the cookie may not be deleted.
Link to bug in code:
https://github.com/django/django/blob/9baf692/django/contrib/sessions/middleware.py#L38
--
Ticket URL: <https://code.djangoproject.com/ticket/26783>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/052.1257d3c929b21c9cc72f9214285a9728%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
