#28989: Allow deleting cookies using restricted cookie prefixes ------------------------------------------+-------------------------- Reporter: Alvin Lindstam | Owner: nobody Type: Uncategorized | Status: assigned Component: Uncategorized | Version: 2.0 Severity: Normal | Keywords: Triage Stage: Unreviewed | Has patch: 0 Needs documentation: 0 | Needs tests: 0 Patch needs improvement: 0 | Easy pickings: 0 UI/UX: 0 | ------------------------------------------+-------------------------- When using a cookie name with a cookie prefix such as `__Secure-` or `__Host-`, modern browsers (all except Internet Explorer) ignore the Set- Cookie-header if it does not use the secure flag and otherwise match the prefix's requirements.
Django's `response.delete_cookie` method always results in a Set-Cookie- header without the secure flag, which means that it can't delete those cookies. It should be possible to delete those cookies, and the prefixes should be possible to use as `SESSION_COOKIE_NAME` (they are currently not deleted when the session is emptied). -- Ticket URL: <https://code.djangoproject.com/ticket/28989> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/056.12985ac4e00b8f812df872e970ce50e6%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.