Fixed #26783 -- Fixed SessionMiddleware's empty cookie deletion when using SESSION_COOKIE_PATH.

d13881bd · Jon Dufresne · Tim Graham · 140c2350 · d13881bd · d13881bd
Kaydet (Commit) d13881bd authored Haz 21, 2016 tarafından Jon Dufresne Kaydeden (comit) Tim Graham Haz 21, 2016
Show whitespace changes
Inline Side-by-side

Showing with 11 additions and 6 deletions

middleware.py django/contrib/sessions/middleware.py +5 -1

tests.py tests/sessions_tests/tests.py +6 -5

No files found.
--- a/django/contrib/sessions/middleware.py
+++ b/django/contrib/sessions/middleware.py
@@ -35,7 +35,11 @@ class SessionMiddleware(MiddlewareMixin):
            # First check if we need to delete this cookie.
            # The session should be deleted only if the session is entirely empty
            if settings.SESSION_COOKIE_NAME in request.COOKIES and empty:
-                response.delete_cookie(settings.SESSION_COOKIE_NAME, domain=settings.SESSION_COOKIE_DOMAIN)
+                response.delete_cookie(
+                    settings.SESSION_COOKIE_NAME,
+                    path=settings.SESSION_COOKIE_PATH,
+                    domain=settings.SESSION_COOKIE_DOMAIN,
+                )
            else:
                if accessed:
                    patch_vary_headers(response, ('Cookie',))

--- a/tests/sessions_tests/tests.py
+++ b/tests/sessions_tests/tests.py
@@ -746,8 +746,8 @@ class SessionMiddlewareTests(TestCase):
            str(response.cookies[settings.SESSION_COOKIE_NAME])
        )

-    @override_settings(SESSION_COOKIE_DOMAIN='.example.local')
-    def test_session_delete_on_end_with_custom_domain(self):
+    @override_settings(SESSION_COOKIE_DOMAIN='.example.local', SESSION_COOKIE_PATH='/example/')
+    def test_session_delete_on_end_with_custom_domain_and_path(self):
        request = RequestFactory().get('/')
        response = HttpResponse('Session test')
        middleware = SessionMiddleware()
@@ -763,12 +763,13 @@ class SessionMiddlewareTests(TestCase):
        response = middleware.process_response(request, response)

        # Check that the cookie was deleted, not recreated.
-        # A deleted cookie header with a custom domain looks like:
+        # A deleted cookie header with a custom domain and path looks like:
        #  Set-Cookie: sessionid=; Domain=.example.local;
-        #              expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/
+        #              expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0;
+        #              Path=/example/
        self.assertEqual(
            'Set-Cookie: {}={}; Domain=.example.local; expires=Thu, '
-            '01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/'.format(
+            '01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/example/'.format(
                settings.SESSION_COOKIE_NAME,
                '""' if sys.version_info >= (3, 5) else '',
            ),