Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Fixed #31790 -- Fixed setting SameSite and Secure cookies flags in HttpResponse.delete_cookie(). #13195

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 16, 2020
Merged

Fixed #31790 -- Fixed setting SameSite and Secure cookies flags in HttpResponse.delete_cookie(). #13195

merged 1 commit into from
Jul 16, 2020

Conversation

felixxm
Copy link
Member

@felixxm felixxm commented Jul 15, 2020

ticket-31790

Cookies with the "SameSite" flag set to None and without the "secure" flag will be soon rejected by latest browser versions.

This affects sessions and messages cookies.

We can decide that this should be backported to Django 2.2 🤔

@felixxm felixxm requested a review from carltongibson July 15, 2020 11:00
carltongibson
carltongibson approved these changes Jul 15, 2020
View reviewed changes
Copy link
Member

@carltongibson carltongibson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, yes, nice. Thanks @felixxm.

Given the comment in the method documentation, I wonder it this should have been part of 9a56b4b 🤔
Either way, if browser are going to start breaking things here, I guess the case for a backport to 2.2 is reasonable.

@felixxm
Copy link
Member Author

felixxm commented Jul 15, 2020

  • Cookie “messages” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read ​https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite'

  • Cookie “sessionid” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read ​https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite'

We don't set the SameSite cookie flag in delete_cookie() so browsers treat it as "none" and they will be soon rejected because secure flag is not set on them. I'm afraid that cookie deletion may be ignored without this patch 😱

We could always set secure flag, but I think it's better to pass the samesite value from the deleted cookie.

I will revert this note in docs, it's not true.

@felixxm
Copy link
Member Author

felixxm commented Jul 15, 2020

@carltongibson I've prepared patch for backporting and fixed setting the Secure cookie flag for cookies that use samesite='none'.

@felixxm felixxm changed the title Fixed #31790 -- Fixed setting SameSite cookie flag for deleted session/messages cookies. Fixed #31790 -- Fixed setting SameSite and Secure cookies flags in HttpResponse.delete_cookie(). Jul 15, 2020
@felixxm
Fixed #31790 -- Fixed setting SameSite and Secure cookies flags in Ht…
0a4802c 
…tpResponse.delete_cookie().

Cookies with the "SameSite" flag set to None and without the "secure"
flag will be soon rejected by latest browser versions.

This affects sessions and messages cookies.
carltongibson
carltongibson approved these changes Jul 16, 2020
View reviewed changes
Copy link
Member

@carltongibson carltongibson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Release notes and everything. 🙂
Perfect. Thanks.

@felixxm
Copy link
Member Author

felixxm commented Jul 16, 2020

Thanks for checking.

@felixxm felixxm merged commit 240cbb6 into django:master Jul 16, 2020
@felixxm felixxm deleted the issue-31790 branch July 16, 2020 06:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@carltongibson carltongibson carltongibson approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@felixxm @carltongibson