Re: [Django] #27328: return `Set-Cookie` if sessionid= None value

Django Tue, 11 Oct 2016 10:33:55 -0700

#27328: return `Set-Cookie` if sessionid=  None value
-------------------------------------+-------------------------------------
     Reporter:  Ramin Farajpour      |                    Owner:  nobody
  Cami                               |
         Type:  Bug                  |                   Status:  new
    Component:  HTTP handling        |                  Version:  1.10
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------


Comment (by Collin Anderson):

 Whenever Django sees an invalid `sessionid` cookie, it tells the browser
 to delete that cookie.

 The only way to tell a browser to delete a cookie is by expiring it.
 Django uses a past expiration date of `01-Jan-1970` and sets `Max-Age=0`,
 (valid for 0 seconds).

 This happens both in the case of an empty `sessionid` cookie, like your
 case:
 {{{
 $ curl --silent -i https://www.djangoproject.com/admin/login/ -H'Referer:
 https://www.djangoproject.com/' -H'Cookie: sessionid=;csrftoken=d'
 -d'csrfmiddlewaretoken=d' | grep Set-Cookie
 Set-Cookie: sessionid=; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0;
 Path=/
 Set-Cookie: csrftoken=d; expires=Tue, 10-Oct-2017 17:05:40 GMT; HttpOnly;
 Max-Age=31449600; Path=/; Secure
 }}}

 But it also happens when the `sessionid` cookie is sent, but it's invalid:
 {{{
 $ curl --silent -i https://www.djangoproject.com/admin/login/ -H'Referer:
 https://www.djangoproject.com/' -H'Cookie:
 sessionid=bad_invalid_data_here;csrftoken=d' -d'csrfmiddlewaretoken=d' |
 grep Set-Cookie
 Set-Cookie: sessionid=; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0;
 Path=/
 Set-Cookie: csrftoken=d; expires=Tue, 10-Oct-2017 17:05:40 GMT; HttpOnly;
 Max-Age=31449600; Path=/; Secure
 }}}

 Why are you sending a `sessionid` cookie in the first place? It seems to
 me if you don't have a valid `sessionid` cookie, you shouldn't be sending
 it to Django. Does that sound right? Either that or can you ignore the
 `Set-Cookie:` header if it says `Max-Age=0`?

--
Ticket URL: <https://code.djangoproject.com/ticket/27328#comment:9>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.77bb9edee1a1c6f7dc767554f792ba8a%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #27328: return `Set-Cookie` if sessionid= None value

Reply via email to