From 47a99d701277f6ec98e6fd220feb9c8a1e66718e Mon Sep 17 00:00:00 2001 From: Alvin Lindstam Date: Thu, 4 Jan 2018 18:53:35 +0100 Subject: [PATCH] Fixed #28989 -- Fixed HttpResponse.delete_cookie() for cookies that use __Secure/Host prefixes. --- django/http/response.py | 9 +++++++-- tests/responses/test_cookie.py | 13 +++++++++++++ 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/django/http/response.py b/django/http/response.py index 76d731d53f..b6f29cc056 100644 --- a/django/http/response.py +++ b/django/http/response.py @@ -205,8 +205,13 @@ class HttpResponseBase: return self.set_cookie(key, value, **kwargs) def delete_cookie(self, key, path='/', domain=None): - self.set_cookie(key, max_age=0, path=path, domain=domain, - expires='Thu, 01 Jan 1970 00:00:00 GMT') + # Most browsers ignore the Set-Cookie header if the cookie name starts + # with __Host- or __Secure- and the cookie doesn't use the secure flag. + secure = key.startswith(('__Secure-', '__Host-')) + self.set_cookie( + key, max_age=0, path=path, domain=domain, secure=secure, + expires='Thu, 01 Jan 1970 00:00:00 GMT', + ) # Common methods used by subclasses diff --git a/tests/responses/test_cookie.py b/tests/responses/test_cookie.py index cbd65926c0..148963fa59 100644 --- a/tests/responses/test_cookie.py +++ b/tests/responses/test_cookie.py @@ -91,3 +91,16 @@ class DeleteCookieTests(SimpleTestCase): self.assertEqual(cookie['path'], '/') self.assertEqual(cookie['secure'], '') self.assertEqual(cookie['domain'], '') + + def test_delete_cookie_secure_prefix(self): + """ + delete_cookie() sets the secure flag if the cookie name starts with + __Host- or __Secure- (without that, browsers ignore cookies with those + prefixes). + """ + response = HttpResponse() + for prefix in ('Secure', 'Host'): + with self.subTest(prefix=prefix): + cookie_name = '__%s-c' % prefix + response.delete_cookie(cookie_name) + self.assertEqual(response.cookies[cookie_name]['secure'], True)