Cookie-backed sessions fail to flush with a custom SESSION_COOKIE_DOMAIN

[Pindi Albert]

In Django 1.8, the behavior of SessionStore.flush() was changed according to the release notes to delete the session cookie. However, with a custom SESSION_COOKIE_DOMAIN, the custom domain is included when the cookie is set, but not when it is deleted. This makes browsers ignore the attempted deletion and the cookie remains.

This is fine for database-backed sessions, since the session is also removed from the database, but with cookie-backed sessions the end result is that flush() is a no-op, the worst consequence being users are unable to log out of sites.

Here's an example of Django setting the session cookie on login:

Set-Cookie: sessionid="<redacted>"; Domain=.example.local; expires=Wed, 27-May-2015 22:58:18 GMT; httponly; Max-Age=1209600; Path=/

And here's an example of it attempting but failing to delete it on logout (note the lack of Domain field):

Set-Cookie:sessionid=; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/

Steps to reproduce:

1. Start a new Django project. Enable the admin.
2. Add the following settings:
   • SESSION_COOKIE_DOMAIN = '.example.local'
   • SESSION_ENGINE = 'django.contrib.sessions.backends.signed_cookies'
3. Set up your machine so that "www.example.local" resolves to 127.0.0.1, then access the development server using "www.example.local".
4. Create a superuser and log into the admin.
5. Click "Logout" in the admin. While the page says you were logged out, if you go back to "www.example.local/admin" you will still be logged in.

[Tim Graham <timograham@…>]

In 2dee853:

Fixed #24799 -- Fixed session cookie deletion when using SESSION_COOKIE_DOMAIN

[Tim Graham <timograham@…>]

In 3c659856:

[1.8.x] Fixed #24799 -- Fixed session cookie deletion when using SESSION_COOKIE_DOMAIN

Backport of 2dee853ed4def42b7ef1b3b472b395055543cc00 from master