#30785 closed Cleanup/optimization (invalid)
Documentation missing info about subdomain wildcard for SESSION_COOKIE_DOMAIN.
| Reported by: | Ronny Vedrilla | Owned by: | Ronny Vedrilla |
|---|---|---|---|
| Component: | Documentation | Version: | dev |
| Severity: | Normal | Keywords: | documentation |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
I had to work with SESSION_COOKIE_DOMAIN and it took me a while to realize that SESSION_COOKIE_DOMAIN can work with subdomain wildcards like ".djangoproject.com". It is stated in other cookie settings but not here. It's quite misleading.
Also it would be useful to add the info that you need to remove already set cookies in order to make it work.
I tried to create a pull request but I couldn't find the source code anywhere...
Best regards from Cologne
Ronny
Change History (7)
comment:1 by , 5 years ago
| Easy pickings: | set |
|---|---|
| Summary: | Documentation missing info about subdomain wildcard for SESSION_COOKIE_DOMAIN → Documentation missing info about subdomain wildcard for SESSION_COOKIE_DOMAIN. |
| Triage Stage: | Unreviewed → Accepted |
| Type: | Uncategorized → Cleanup/optimization |
| Version: | 2.2 → master |
comment:2 by , 5 years ago
@felixxm PR created, thanks for the hint: https://github.com/django/django/pull/11793
comment:3 by , 5 years ago
| Has patch: | set |
|---|---|
| Owner: | changed from to |
| Status: | new → assigned |
follow-up: 5 comment:4 by , 5 years ago
| Resolution: | → invalid |
|---|---|
| Status: | assigned → closed |
Sorry for confusing, but it seems that leading dot is not necessary anymore (see ticket #28741 and afd375fc343baa46e61036087bc43b3d096bb0ca).
comment:5 by , 5 years ago
Replying to felixxm:
Sorry for confusing, but it seems that leading dot is not necessary anymore (see ticket #28741 and afd375fc343baa46e61036087bc43b3d096bb0ca).
In version 2.2 you definitely need it. I was stuck for 3h.
follow-up: 7 comment:6 by , 5 years ago
It works for me e.g. with SESSION_COOKIE_DOMAIN = 'djangoproject.localhost' my session cookie is set with a leading dot:
sessionid:"xxxx" CreationTime:"Mon, 23 Sep 2019 12:02:22 GMT" Domain:".djangoproject.localhost" ...
see also Mozilla's documentation and RFC6265.
Closing per TicketClosingReasons/UseSupportChannels.
comment:7 by , 5 years ago
Replying to felixxm:
It works for me e.g. with
SESSION_COOKIE_DOMAIN = 'djangoproject.localhost'my session cookie is set with a leading dot:
sessionid:"xxxx" CreationTime:"Mon, 23 Sep 2019 12:02:22 GMT" Domain:".djangoproject.localhost" ...see also Mozilla's documentation and RFC6265.
Closing per TicketClosingReasons/UseSupportChannels.
Ok, then maybe we should add a sentence that it works like this for subdomains?
Thanks for this ticket. I agree we can add a sentence about cross-subdomains.
It is already documented: "Be cautious when updating this setting on a production site. If you update this setting to enable cross-domain cookies on a site that previously used standard domain cookies, existing user cookies will be set to the old domain. This may result in them being unable to log in as long as these cookies persist."
Documentation is a part of main repository, patch is welcome.