#28119: Test client cookies do not take into account server hostnames/domains
-------------------------------------+-------------------------------------
Reporter: Ali Kaafarani | Owner: nobody
Type: New feature | Status: new
Component: Testing framework | Version: 1.11
Severity: Normal | Resolution:
Keywords: test, client, | Triage Stage:
cookie, domain | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Description changed by Ali Kaafarani:
Old description:
> A couple of issues arise in the testing framework when a Django project
> supports multiple hostnames.
>
> 1. Cookies received don't set the domain field
> 2. Cookies with a domain field are still included in requests to a
> different domain than the one in the cookie
>
> === Example of `domain` not being set:
>
> {{{
> from django.test import Client
> client = Client()
>
> # 1. Make a request with explicit SERVER_NAME
> response = client.get('/', SERVER_NAME='foo.local')
>
> # 2. Note that response.cookies['csrftoken']['domain'] has no value
> }}}
>
> Expected result: `response.cookies['csrftoken']['domain']` was set to the
> value of `SERVER_NAME` (default would be `testserver`).
> Rationale: Browsers do this, according to the specification:
> https://tools.ietf.org/html/rfc2965 (4.3.1 Interpreting Set-Cookie:
> Domain Defaults to the request-host)
>
> ---
>
> === Example of cookies sent incorrectly to another domain:
>
> {{{
> from django.test import Client
> client = Client()
>
> # 1. Make request with explicit SERVER_NAME, receive `csrftoken` cookie
> response = client.get('/', SERVER_NAME='foo.local')
>
> # 2. Note that client.cookies['csrftoken'] now has some value (eg.
> "123456")
>
> # 3. Set the domain on the cookie
> client.cookies['csrftoken']['domain'] = 'bar.local'
>
> # 4. Make request to different domain
> response = client.get('/', SERVER_NAME='bar.local')
>
> # 5. Note that client.cookies['csrftoken'] was sent with the request, re-
> used by the server, and still has the same value (eg. "123456")
> }}}
>
> Expected result: On step 4, the client does not include the cookie with
> non-matching domain name.
> Rationale: Using `SERVER_NAME`, the client should simulate browser
> behaviour by not sending cookies incorrectly to different hostnames.
New description:
A couple of issues arise in the testing framework when a Django project
supports multiple hostnames.
1. Cookies received don't set the domain field
2. Cookies with a domain field are still included in requests to a
different domain than the one in the cookie
=== Example of `domain` not being set:
{{{
from django.test import Client
client = Client()
# 1. Make a request with explicit SERVER_NAME
response = client.get('/', SERVER_NAME='foo.local')
# 2. Note that response.cookies['csrftoken']['domain'] has no value
}}}
Expected result: `response.cookies['csrftoken']['domain']` was set to the
value of `SERVER_NAME` (default would be `testserver`).
Rationale: Browsers do this, according to the specification:
https://tools.ietf.org/html/rfc2965 (4.3.1 Interpreting Set-Cookie: Domain
Defaults to the request-host)
=== Example of cookies sent incorrectly to another domain:
{{{
from django.test import Client
client = Client()
# 1. Make request with explicit SERVER_NAME, receive `csrftoken` cookie
response = client.get('/', SERVER_NAME='foo.local')
# 2. Note that client.cookies['csrftoken'] now has some value (eg.
"123456")
# 3. Set the domain on the cookie
client.cookies['csrftoken']['domain'] = 'bar.local'
# 4. Make request to different domain
response = client.get('/', SERVER_NAME='bar.local')
# 5. Note that client.cookies['csrftoken'] was sent with the request, re-
used by the server, and still has the same value (eg. "123456")
}}}
Expected result: On step 4, the client does not include the cookie with
non-matching domain name.
Rationale: Using `SERVER_NAME`, the client should simulate browser
behaviour by not sending cookies incorrectly to different hostnames.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/28119#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/067.0fe0a52cf061f280089c5c405c3054b1%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
