#33109: Testing the presence of SameSite and Secure cookies doesn't work
-------------------------------------+-------------------------------------
Reporter: Adrien Carpentier | Owner: nobody
Type: Bug | Status: new
Component: HTTP handling | Version: 3.1
Severity: Normal | Resolution:
Keywords: cookies, samesite, | Triage Stage:
secure, test | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Description changed by Adrien Carpentier:
Old description:
> When using the following constants in `settings.py`, as Django doc says
> (https://docs.djangoproject.com/en/3.1/ref/settings/#std:setting-
> SESSION_COOKIE_SECURE):
>
> {{{
> CSRF_COOKIE_SECURE = True
> SESSION_COOKIE_SECURE = True
> CSRF_COOKIE_SAMESITE = 'None'
> SESSION_COOKIE_SAMESITE = 'None'
> }}}
>
> ...and then when testing the presence of `SameSite` and `Secure` cookies
> in the responses, there is no `SameSite` neither `Secure` cookie keys.
> Here is a non passing test, for example, for a user agent that should
> have `SameSite` and `Secure` cookies:
>
> {{{
> agent_string = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/80.0.2227.0 Safari/537.36"
> from django.test import Client
> test_client = Client()
> res = test_client.get("/", HTTP_USER_AGENT=agent_string)
> assert res.cookies.get(self.cookie_key)["samesite"] == "None"
> assert res.cookies.get(self.cookie_key)["secure"]
> }}}
>
> When printing the content of the cookies (`print(res.cookies.items())`),
> the cookie keys are not there.
>
> Side note: until 3.1 I was adding `SameSite` and `Secure` cookies in the
> responses through a custom middleware before Django 3.1, depending on the
> user agent, and the tests were passing.
New description:
When using the following constants in `settings.py`, as Django doc says
(https://docs.djangoproject.com/en/3.1/ref/settings/#std:setting-
SESSION_COOKIE_SECURE):
{{{
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SAMESITE = 'None'
}}}
...and then when testing the presence of `SameSite` and `Secure` cookies
in the responses, there is no `SameSite` neither `Secure` cookie keys.
Here is a non passing test, for example, for a user agent that should have
`SameSite` and `Secure` cookies:
{{{
agent_string = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/80.0.2227.0 Safari/537.36"
from django.test import Client
test_client = Client()
res = test_client.get("/", HTTP_USER_AGENT=agent_string)
assert res.cookies.get(self.cookie_key)["samesite"] == "None"
assert res.cookies.get(self.cookie_key)["secure"]
}}}
When printing the content of the cookies (`print(res.cookies.items())`),
the cookie keys are not there.
Note: When adding `SameSite` and `Secure` cookies in the responses through
a custom middleware instead of the 3.1 setting, the tests are passing.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/33109#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/074.e6c7cfb35078a04bb7e35740f55ef0a0%40djangoproject.com.
