#27328: return `Set-Cookie` if sessionid= None value -------------------------------------+------------------------------------- Reporter: Ramin Farajpour | Owner: nobody Cami | Type: Bug | Status: new Component: HTTP handling | Version: 1.10 Severity: Normal | Resolution: Keywords: | Triage Stage: | Unreviewed Has patch: 0 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 -------------------------------------+-------------------------------------
Comment (by Collin Anderson): Whenever Django sees an invalid `sessionid` cookie, it tells the browser to delete that cookie. The only way to tell a browser to delete a cookie is by expiring it. Django uses a past expiration date of `01-Jan-1970` and sets `Max-Age=0`, (valid for 0 seconds). This happens both in the case of an empty `sessionid` cookie, like your case: {{{ $ curl --silent -i https://www.djangoproject.com/admin/login/ -H'Referer: https://www.djangoproject.com/' -H'Cookie: sessionid=;csrftoken=d' -d'csrfmiddlewaretoken=d' | grep Set-Cookie Set-Cookie: sessionid=; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/ Set-Cookie: csrftoken=d; expires=Tue, 10-Oct-2017 17:05:40 GMT; HttpOnly; Max-Age=31449600; Path=/; Secure }}} But it also happens when the `sessionid` cookie is sent, but it's invalid: {{{ $ curl --silent -i https://www.djangoproject.com/admin/login/ -H'Referer: https://www.djangoproject.com/' -H'Cookie: sessionid=bad_invalid_data_here;csrftoken=d' -d'csrfmiddlewaretoken=d' | grep Set-Cookie Set-Cookie: sessionid=; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/ Set-Cookie: csrftoken=d; expires=Tue, 10-Oct-2017 17:05:40 GMT; HttpOnly; Max-Age=31449600; Path=/; Secure }}} Why are you sending a `sessionid` cookie in the first place? It seems to me if you don't have a valid `sessionid` cookie, you shouldn't be sending it to Django. Does that sound right? Either that or can you ignore the `Set-Cookie:` header if it says `Max-Age=0`? -- Ticket URL: <https://code.djangoproject.com/ticket/27328#comment:9> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.77bb9edee1a1c6f7dc767554f792ba8a%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.