#28989: Allow deleting cookies using restricted cookie prefixes
------------------------------------------+--------------------------
Reporter: Alvin Lindstam | Owner: nobody
Type: Uncategorized | Status: assigned
Component: Uncategorized | Version: 2.0
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------+--------------------------
When using a cookie name with a cookie prefix such as `__Secure-` or
`__Host-`, modern browsers (all except Internet Explorer) ignore the Set-
Cookie-header if it does not use the secure flag and otherwise match the
prefix's requirements.
Django's `response.delete_cookie` method always results in a Set-Cookie-
header without the secure flag, which means that it can't delete those
cookies.
It should be possible to delete those cookies, and the prefixes should be
possible to use as `SESSION_COOKIE_NAME` (they are currently not deleted
when the session is emptied).
--
Ticket URL: <https://code.djangoproject.com/ticket/28989>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/056.12985ac4e00b8f812df872e970ce50e6%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
