Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#30785 closed Cleanup/optimization (invalid)

Documentation missing info about subdomain wildcard for SESSION_COOKIE_DOMAIN.

Reported by: Ronny Vedrilla Owned by: Ronny Vedrilla
Component: Documentation Version: dev
Severity: Normal Keywords: documentation
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

I had to work with SESSION_COOKIE_DOMAIN and it took me a while to realize that SESSION_COOKIE_DOMAIN can work with subdomain wildcards like ".djangoproject.com". It is stated in other cookie settings but not here. It's quite misleading.

Also it would be useful to add the info that you need to remove already set cookies in order to make it work.

I tried to create a pull request but I couldn't find the source code anywhere...

Best regards from Cologne
Ronny

Change History (7)

comment:1 by Mariusz Felisiak, 5 years ago

Easy pickings: set
Summary: Documentation missing info about subdomain wildcard for SESSION_COOKIE_DOMAINDocumentation missing info about subdomain wildcard for SESSION_COOKIE_DOMAIN.
Triage Stage: UnreviewedAccepted
Type: UncategorizedCleanup/optimization
Version: 2.2master

Thanks for this ticket. I agree we can add a sentence about cross-subdomains.

Also it would be useful to add the info that you need to remove already set cookies in order to make it work.

It is already documented: "Be cautious when updating this setting on a production site. If you update this setting to enable cross-domain cookies on a site that previously used standard domain cookies, existing user cookies will be set to the old domain. This may result in them being unable to log in as long as these cookies persist."

Documentation is a part of main repository, patch is welcome.

comment:2 by Ronny Vedrilla, 5 years ago

@felixxm PR created, thanks for the hint: https://github.com/django/django/pull/11793

comment:3 by Mariusz Felisiak, 5 years ago

Has patch: set
Owner: changed from nobody to Ronny Vedrilla
Status: newassigned

comment:4 by Mariusz Felisiak, 5 years ago

Resolution: invalid
Status: assignedclosed

Sorry for confusing, but it seems that leading dot is not necessary anymore (see ticket #28741 and afd375fc343baa46e61036087bc43b3d096bb0ca).

in reply to:  4 comment:5 by Ronny Vedrilla, 5 years ago

Replying to felixxm:

Sorry for confusing, but it seems that leading dot is not necessary anymore (see ticket #28741 and afd375fc343baa46e61036087bc43b3d096bb0ca).

In version 2.2 you definitely need it. I was stuck for 3h.

comment:6 by Mariusz Felisiak, 5 years ago

It works for me e.g. with SESSION_COOKIE_DOMAIN = 'djangoproject.localhost' my session cookie is set with a leading dot:

sessionid:"xxxx"
CreationTime:"Mon, 23 Sep 2019 12:02:22 GMT"
Domain:".djangoproject.localhost"
...

see also Mozilla's documentation and RFC6265.

Closing per TicketClosingReasons/UseSupportChannels.

in reply to:  6 comment:7 by Ronny Vedrilla, 5 years ago

Replying to felixxm:

It works for me e.g. with SESSION_COOKIE_DOMAIN = 'djangoproject.localhost' my session cookie is set with a leading dot:

sessionid:"xxxx"
CreationTime:"Mon, 23 Sep 2019 12:02:22 GMT"
Domain:".djangoproject.localhost"
...

see also Mozilla's documentation and RFC6265.

Closing per TicketClosingReasons/UseSupportChannels.

Ok, then maybe we should add a sentence that it works like this for subdomains?

Note: See TracTickets for help on using tickets.
Back to Top