#28989: Allow deleting cookies using restricted cookie prefixes
------------------------------------------+--------------------------
Reporter: Alvin Lindstam | Owner: nobody
Type: Uncategorized | Status: assigned
Component: Uncategorized | Version: 2.0
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------+--------------------------
When using a cookie name with a cookie prefix such as `__Secure-` or
`__Host-`, modern browsers (all except Internet Explorer) ignore the Set-
Cookie-header if it does not use the secure flag and otherwise match the
prefix's requirements.
Django's `response.delete_cookie` method always results in a Set-Cookie-
header without the secure flag, which means that it can't delete those
cookies.
It should be possible to delete those cookies, and the prefixes should be
possible to use as `SESSION_COOKIE_NAME` (they are currently not deleted
when the session is emptied).
--
Ticket URL: <https://code.djangoproject.com/ticket/28989>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/056.12985ac4e00b8f812df872e970ce50e6%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
