[Django] #33109: Testing of presence of SameSite and Secure cookies doesn't work

[Django]

#33109: Testing of presence of SameSite and Secure cookies doesn't work
-------------------------------------+-------------------------------------
Reporter: Adrien | Owner: nobody
Carpentier |
Type: Bug | Status: new
Component: HTTP | Version: 3.1
handling | Keywords: cookies, samesite,
Severity: Normal | secure, test
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
When using the following constants in `settings.py`, as Django doc says
(https://docs.djangoproject.com/en/3.1/ref/settings/#std:setting-
SESSION_COOKIE_SECURE):

CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SAMESITE = 'None'

But when testing the presence of `SameSite` and `Secure` cookies in the
responses for , there is no `SameSite` neither `Secure` cookie keys. Here
is a non passing test, for example, for a user agent that should have
`SameSite` and `Secure` cookies:

agent_string = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/80.0.2227.0 Safari/537.36"
from django.test import Client
test_client = Client()
res = test_client.get("/", HTTP_USER_AGENT=agent_string)
assert res.cookies.get(self.cookie_key)["samesite"] == "None"
assert res.cookies.get(self.cookie_key)["secure"]

When printing the content of the cookies (`print(res.cookies.items())`),
the cookie keys are not there.

(Until 3.1 I was adding `SameSite` and `Secure` cookies in the responses
through a custom middleware before Django 3.1, depending on the user
agent, with the exact same passing tests. Since Django 3.1, I just removed
the custom middleware and added those constants in `settings.py`).

--
Ticket URL: <https://code.djangoproject.com/ticket/33109>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#33109: Testing of presence of SameSite and Secure cookies doesn't work
-------------------------------------+-------------------------------------

Reporter: Adrien Carpentier | Owner: nobody
Type: Bug | Status: new
Component: HTTP handling | Version: 3.1
Severity: Normal | Resolution:
Keywords: cookies, samesite, | Triage Stage:
secure, test | Unreviewed
Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Description changed by Adrien Carpentier:

Old description:

New description:

When using the following constants in `settings.py`, as Django doc says
(https://docs.djangoproject.com/en/3.1/ref/settings/#std:setting-
SESSION_COOKIE_SECURE):

CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SAMESITE = 'None'

...and then when testing the presence of `SameSite` and `Secure` cookies
in the responses, there is no `SameSite` neither `Secure` cookie keys.

Here is a non passing test, for example, for a user agent that should have
`SameSite` and `Secure` cookies:

agent_string = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/80.0.2227.0 Safari/537.36"
from django.test import Client
test_client = Client()
res = test_client.get("/", HTTP_USER_AGENT=agent_string)
assert res.cookies.get(self.cookie_key)["samesite"] == "None"
assert res.cookies.get(self.cookie_key)["secure"]

When printing the content of the cookies (`print(res.cookies.items())`),
the cookie keys are not there.

(Until 3.1 I was adding `SameSite` and `Secure` cookies in the responses
through a custom middleware before Django 3.1, depending on the user
agent, with the exact same passing tests. Since Django 3.1, I just removed
the custom middleware and added those constants in `settings.py`).

--

--
Ticket URL: <https://code.djangoproject.com/ticket/33109#comment:1>

[Django]

#33109: Testing of presence of SameSite and Secure cookies doesn't work
-------------------------------------+-------------------------------------

Reporter: Adrien Carpentier | Owner: nobody
Type: Bug | Status: new

Component: HTTP handling | Version: 3.1
Severity: Normal | Resolution:
Keywords: cookies, samesite, | Triage Stage:
secure, test | Unreviewed

Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Description changed by Adrien Carpentier:

Old description:

> When using the following constants in `settings.py`, as Django doc says

> (https://docs.djangoproject.com/en/3.1/ref/settings/#std:setting-
> SESSION_COOKIE_SECURE):
>
> CSRF_COOKIE_SECURE = True
> SESSION_COOKIE_SECURE = True
> CSRF_COOKIE_SAMESITE = 'None'
> SESSION_COOKIE_SAMESITE = 'None'
>

> ...and then when testing the presence of `SameSite` and `Secure` cookies
> in the responses, there is no `SameSite` neither `Secure` cookie keys.

> Here is a non passing test, for example, for a user agent that should
> have `SameSite` and `Secure` cookies:
>
> agent_string = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/80.0.2227.0 Safari/537.36"
> from django.test import Client
> test_client = Client()
> res = test_client.get("/", HTTP_USER_AGENT=agent_string)
> assert res.cookies.get(self.cookie_key)["samesite"] == "None"
> assert res.cookies.get(self.cookie_key)["secure"]
>
> When printing the content of the cookies (`print(res.cookies.items())`),
> the cookie keys are not there.
>
> (Until 3.1 I was adding `SameSite` and `Secure` cookies in the responses
> through a custom middleware before Django 3.1, depending on the user
> agent, with the exact same passing tests. Since Django 3.1, I just
> removed the custom middleware and added those constants in
> `settings.py`).

New description:

When using the following constants in `settings.py`, as Django doc says
(https://docs.djangoproject.com/en/3.1/ref/settings/#std:setting-
SESSION_COOKIE_SECURE):

{{{
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SAMESITE = 'None'
}}}

...and then when testing the presence of `SameSite` and `Secure` cookies
in the responses, there is no `SameSite` neither `Secure` cookie keys.

Here is a non passing test, for example, for a user agent that should have
`SameSite` and `Secure` cookies:

{{{
agent_string = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/80.0.2227.0 Safari/537.36"
from django.test import Client
test_client = Client()
res = test_client.get("/", HTTP_USER_AGENT=agent_string)
assert res.cookies.get(self.cookie_key)["samesite"] == "None"
assert res.cookies.get(self.cookie_key)["secure"]
}}}

When printing the content of the cookies (`print(res.cookies.items())`),
the cookie keys are not there.

(Until 3.1 I was adding `SameSite` and `Secure` cookies in the responses
through a custom middleware before Django 3.1, depending on the user
agent, with the exact same passing tests. Since Django 3.1, I just removed
the custom middleware and added those constants in `settings.py`).

--

--
Ticket URL: <https://code.djangoproject.com/ticket/33109#comment:2>

[Django]

#33109: Testing the presence of SameSite and Secure cookies doesn't work
-------------------------------------+-------------------------------------
Reporter: Adrien Carpentier | Owner: nobody
Type: Bug | Status: new

Component: HTTP handling | Version: 3.1
Severity: Normal | Resolution:
Keywords: cookies, samesite, | Triage Stage:
secure, test | Unreviewed

Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

--
Ticket URL: <https://code.djangoproject.com/ticket/33109#comment:3>

[Django]

#33109: Testing the presence of SameSite and Secure cookies doesn't work
-------------------------------------+-------------------------------------
Reporter: Adrien Carpentier | Owner: nobody
Type: Bug | Status: new

Component: HTTP handling | Version: 3.1
Severity: Normal | Resolution:
Keywords: cookies, samesite, | Triage Stage:
secure, test | Unreviewed

Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Description changed by Adrien Carpentier:

Old description:

> When using the following constants in `settings.py`, as Django doc says

> (https://docs.djangoproject.com/en/3.1/ref/settings/#std:setting-
> SESSION_COOKIE_SECURE):
>
> {{{
> CSRF_COOKIE_SECURE = True
> SESSION_COOKIE_SECURE = True
> CSRF_COOKIE_SAMESITE = 'None'
> SESSION_COOKIE_SAMESITE = 'None'
> }}}
>

> ...and then when testing the presence of `SameSite` and `Secure` cookies
> in the responses, there is no `SameSite` neither `Secure` cookie keys.

> Here is a non passing test, for example, for a user agent that should
> have `SameSite` and `Secure` cookies:
>
> {{{
> agent_string = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/80.0.2227.0 Safari/537.36"
> from django.test import Client
> test_client = Client()
> res = test_client.get("/", HTTP_USER_AGENT=agent_string)
> assert res.cookies.get(self.cookie_key)["samesite"] == "None"
> assert res.cookies.get(self.cookie_key)["secure"]
> }}}
>
> When printing the content of the cookies (`print(res.cookies.items())`),
> the cookie keys are not there.
>
> (Until 3.1 I was adding `SameSite` and `Secure` cookies in the responses
> through a custom middleware before Django 3.1, depending on the user
> agent, with the exact same passing tests. Since Django 3.1, I just
> removed the custom middleware and added those constants in
> `settings.py`).

New description:

When using the following constants in `settings.py`, as Django doc says
(https://docs.djangoproject.com/en/3.1/ref/settings/#std:setting-
SESSION_COOKIE_SECURE):

{{{
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SAMESITE = 'None'
}}}

...and then when testing the presence of `SameSite` and `Secure` cookies
in the responses, there is no `SameSite` neither `Secure` cookie keys.

Here is a non passing test, for example, for a user agent that should have
`SameSite` and `Secure` cookies:

{{{
agent_string = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/80.0.2227.0 Safari/537.36"
from django.test import Client
test_client = Client()
res = test_client.get("/", HTTP_USER_AGENT=agent_string)
assert res.cookies.get(self.cookie_key)["samesite"] == "None"
assert res.cookies.get(self.cookie_key)["secure"]
}}}

When printing the content of the cookies (`print(res.cookies.items())`),
the cookie keys are not there.

Side note: until 3.1 I was adding `SameSite` and `Secure` cookies in the

responses through a custom middleware before Django 3.1, depending on the

user agent, and the tests were passing.

--

--
Ticket URL: <https://code.djangoproject.com/ticket/33109#comment:4>

[Django]

#33109: Testing the presence of SameSite and Secure cookies doesn't work
-------------------------------------+-------------------------------------
Reporter: Adrien Carpentier | Owner: nobody
Type: Bug | Status: new

Component: HTTP handling | Version: 3.1
Severity: Normal | Resolution:
Keywords: cookies, samesite, | Triage Stage:
secure, test | Unreviewed

Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Description changed by Adrien Carpentier:

Old description:

> When using the following constants in `settings.py`, as Django doc says

> (https://docs.djangoproject.com/en/3.1/ref/settings/#std:setting-
> SESSION_COOKIE_SECURE):
>
> {{{
> CSRF_COOKIE_SECURE = True
> SESSION_COOKIE_SECURE = True
> CSRF_COOKIE_SAMESITE = 'None'
> SESSION_COOKIE_SAMESITE = 'None'
> }}}
>

> ...and then when testing the presence of `SameSite` and `Secure` cookies
> in the responses, there is no `SameSite` neither `Secure` cookie keys.

> Here is a non passing test, for example, for a user agent that should
> have `SameSite` and `Secure` cookies:
>
> {{{
> agent_string = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/80.0.2227.0 Safari/537.36"
> from django.test import Client
> test_client = Client()
> res = test_client.get("/", HTTP_USER_AGENT=agent_string)
> assert res.cookies.get(self.cookie_key)["samesite"] == "None"
> assert res.cookies.get(self.cookie_key)["secure"]
> }}}
>
> When printing the content of the cookies (`print(res.cookies.items())`),
> the cookie keys are not there.
>

> Side note: until 3.1 I was adding `SameSite` and `Secure` cookies in the

> responses through a custom middleware before Django 3.1, depending on the

> user agent, and the tests were passing.

New description:

When using the following constants in `settings.py`, as Django doc says
(https://docs.djangoproject.com/en/3.1/ref/settings/#std:setting-
SESSION_COOKIE_SECURE):

{{{
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SAMESITE = 'None'
}}}

...and then when testing the presence of `SameSite` and `Secure` cookies
in the responses, there is no `SameSite` neither `Secure` cookie keys.

Here is a non passing test, for example, for a user agent that should have
`SameSite` and `Secure` cookies:

{{{
agent_string = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/80.0.2227.0 Safari/537.36"
from django.test import Client
test_client = Client()
res = test_client.get("/", HTTP_USER_AGENT=agent_string)
assert res.cookies.get(self.cookie_key)["samesite"] == "None"
assert res.cookies.get(self.cookie_key)["secure"]
}}}

When printing the content of the cookies (`print(res.cookies.items())`),
the cookie keys are not there.

Note: When adding `SameSite` and `Secure` cookies in the responses through
a custom middleware instead of the 3.1 setting, the tests are passing.

--

--
Ticket URL: <https://code.djangoproject.com/ticket/33109#comment:5>

[Django]

#33109: Testing the presence of SameSite and Secure cookies doesn't work
-------------------------------------+-------------------------------------
Reporter: Adrien Carpentier | Owner: nobody
Type: Bug | Status: new

Component: HTTP handling | Version: 3.1
Severity: Normal | Resolution:
Keywords: cookies, samesite, | Triage Stage:
secure, test | Unreviewed

Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Tim Graham):

Have you debugged this to confirm that Django is at fault, and if so,
where?

--
Ticket URL: <https://code.djangoproject.com/ticket/33109#comment:6>

[Django]

#33109: Testing the presence of SameSite and Secure cookies doesn't work
-------------------------------------+-------------------------------------

Reporter: Adrien Carpentier | Owner: nobody

Type: Bug | Status: closed
Component: Testing framework | Version: 3.1
Severity: Normal | Resolution: needsinfo

Keywords: cookies, samesite, | Triage Stage:
secure, test | Unreviewed

Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Mariusz Felisiak):

* status: new => closed
* resolution: => needsinfo
* component: HTTP handling => Testing framework

Comment:

Thanks for the ticket, however I cannot reproduce this issue. Please
reopen the ticket if you can debug your issue and provide a sample
project.

--
Ticket URL: <https://code.djangoproject.com/ticket/33109#comment:7>