#28119: Test client cookies do not take into account server hostnames/domains
-------------------------------------+-------------------------------------
Reporter: Ali | Owner: nobody
Kaafarani |
Type: | Status: new
Uncategorized |
Component: Testing | Version: 1.11
framework | Keywords: test, client,
Severity: Normal | cookie, domain
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
A couple of issues arise in the testing framework when a Django project
supports multiple hostnames.
1. Cookies received don't set the domain field
2. Cookies with a domain field are still included in requests to a
different domain than the one in the cookie
=== Example of `domain` not being set:
{{{
from django.test import Client
client = Client()
# 1. Make a request with explicit SERVER_NAME
response = client.get('/', SERVER_NAME='foo.local')
# 2. Note that response.cookies['csrftoken']['domain'] has no value
}}}
Expected result: `response.cookies['csrftoken']['domain']` was set to
`SERVER_NAME` (default would be `testserver`).
Rationale: Browsers do this, according to the specification:
https://tools.ietf.org/html/rfc2965 (4.3.1 Interpreting Set-Cookie: Domain
Defaults to the request-host)
---
=== Example of cookies sent incorrectly to another domain:
{{{
from django.test import Client
client = Client()
# 1. Make request with explicit SERVER_NAME, receive `csrftoken` cookie
response = client.get('/', SERVER_NAME='foo.local')
# 2. Note that client.cookies['csrftoken'] now has some value (eg.
"123456")
# 3. Set the domain on the cookie
client.cookies['csrftoken']['domain'] = 'bar.local'
# 4. Make request to different domain
response = client.get('/', SERVER_NAME='bar.local')
# 5. Note that client.cookies['csrftoken'] was sent with the request, re-
used by the server, and still has the same value (eg. "123456")
}}}
Expected result: On step 4, the client does not include the cookie with
non-matching domain name.
Rationale: Using SERVER_NAME, the client should simulate browser behaviour
by not sending cookies incorrectly to different hostnames.
--
Ticket URL: <https://code.djangoproject.com/ticket/28119>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/052.324ae70ca0404721d9896357518cd2aa%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
