Opened 8 years ago
Last modified 8 years ago
#28119 new New feature
Test client cookies do not take into account server hostnames/domains — at Version 1
Reported by: | Ali Kaafarani | Owned by: | nobody |
---|---|---|---|
Component: | Testing framework | Version: | 1.11 |
Severity: | Normal | Keywords: | test, client, cookie, domain |
Cc: | Triage Stage: | Someday/Maybe | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
A couple of issues arise in the testing framework when a Django project supports multiple hostnames.
- Cookies received don't set the domain field
- Cookies with a domain field are still included in requests to a different domain than the one in the cookie
Example of domain
not being set:
from django.test import Client client = Client() # 1. Make a request with explicit SERVER_NAME response = client.get('/', SERVER_NAME='foo.local') # 2. Note that response.cookies['csrftoken']['domain'] has no value
Expected result: response.cookies['csrftoken']['domain']
was set to the value of SERVER_NAME
(default would be testserver
).
Rationale: Browsers do this, according to the specification: https://tools.ietf.org/html/rfc2965 (4.3.1 Interpreting Set-Cookie: Domain Defaults to the request-host)
---
Example of cookies sent incorrectly to another domain:
from django.test import Client client = Client() # 1. Make request with explicit SERVER_NAME, receive `csrftoken` cookie response = client.get('/', SERVER_NAME='foo.local') # 2. Note that client.cookies['csrftoken'] now has some value (eg. "123456") # 3. Set the domain on the cookie client.cookies['csrftoken']['domain'] = 'bar.local' # 4. Make request to different domain response = client.get('/', SERVER_NAME='bar.local') # 5. Note that client.cookies['csrftoken'] was sent with the request, re-used by the server, and still has the same value (eg. "123456")
Expected result: On step 4, the client does not include the cookie with non-matching domain name.
Rationale: Using SERVER_NAME
, the client should simulate browser behaviour by not sending cookies incorrectly to different hostnames.
Change History (1)
comment:1 by , 8 years ago
Description: | modified (diff) |
---|---|
Type: | Uncategorized → New feature |