diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2020-07-16 09:30:15 +0200 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2020-07-16 09:35:35 +0200 |
| commit | f1a6e6c817f3205ea7da6f973f51524ff630dda5 (patch) | |
| tree | 0c68c7a7ddcea7000cb2f83f636397f3ac7d7b0b /django | |
| parent | 6f09ee2be3c0ce07b096af7ac63b64ee7cfc23cf (diff) | |
| download | django-f1a6e6c817f3205ea7da6f973f51524ff630dda5.tar.gz | |
[2.2.x] Fixed #31790 -- Fixed setting SameSite cookies flag in HttpResponse.delete_cookie().
Cookies with the "SameSite" flag set to None and without the "secure"
flag will be soon rejected by latest browser versions.
This affects sessions and messages cookies.
Backport of 331324ecce1330dce3dbd1713203cb9a42854ad7 from stable/3.0.x
Diffstat (limited to 'django')
| -rw-r--r-- | django/contrib/messages/storage/cookie.py | 6 | ||||
| -rw-r--r-- | django/contrib/sessions/middleware.py | 1 | ||||
| -rw-r--r-- | django/http/response.py | 4 |
3 files changed, 8 insertions, 3 deletions
diff --git a/django/contrib/messages/storage/cookie.py b/django/contrib/messages/storage/cookie.py index 9e0c93e436..057d573d3f 100644 --- a/django/contrib/messages/storage/cookie.py +++ b/django/contrib/messages/storage/cookie.py @@ -89,7 +89,11 @@ class CookieStorage(BaseStorage): samesite=settings.SESSION_COOKIE_SAMESITE, ) else: - response.delete_cookie(self.cookie_name, domain=settings.SESSION_COOKIE_DOMAIN) + response.delete_cookie( + self.cookie_name, + domain=settings.SESSION_COOKIE_DOMAIN, + samesite=settings.SESSION_COOKIE_SAMESITE, + ) def _store(self, messages, response, remove_oldest=True, *args, **kwargs): """ diff --git a/django/contrib/sessions/middleware.py b/django/contrib/sessions/middleware.py index 6795354cc5..a464b44245 100644 --- a/django/contrib/sessions/middleware.py +++ b/django/contrib/sessions/middleware.py @@ -39,6 +39,7 @@ class SessionMiddleware(MiddlewareMixin): settings.SESSION_COOKIE_NAME, path=settings.SESSION_COOKIE_PATH, domain=settings.SESSION_COOKIE_DOMAIN, + samesite=settings.SESSION_COOKIE_SAMESITE, ) else: if accessed: diff --git a/django/http/response.py b/django/http/response.py index f7d248e933..5a693b1786 100644 --- a/django/http/response.py +++ b/django/http/response.py @@ -210,13 +210,13 @@ class HttpResponseBase: value = signing.get_cookie_signer(salt=key + salt).sign(value) return self.set_cookie(key, value, **kwargs) - def delete_cookie(self, key, path='/', domain=None): + def delete_cookie(self, key, path='/', domain=None, samesite=None): # Most browsers ignore the Set-Cookie header if the cookie name starts # with __Host- or __Secure- and the cookie doesn't use the secure flag. secure = key.startswith(('__Secure-', '__Host-')) self.set_cookie( key, max_age=0, path=path, domain=domain, secure=secure, - expires='Thu, 01 Jan 1970 00:00:00 GMT', + expires='Thu, 01 Jan 1970 00:00:00 GMT', samesite=samesite, ) # Common methods used by subclasses |