Re: Unable to delete cookie

[Daniel Rus Morales]

It sounds like you have a same-origin policy issue. If the external authentication site and your site have different origins you can’t delete their cookies with your responses. Does not the external authentication site provide you with a method to logout?

On 23 Sep 2014, at 19:09, Tao Bojlen <brorb...@gmail.com> wrote:

Hi,

I'm using a custom authentication backend for my Django project, and in order to log out I have to delete a cookie that's set by the (external) authentication site.
Here is my view code:

response = django_logout(request,
                         next_page=post_logout_url)
response.delete_cookie('cookie_name',
                        domain="cookie_domain")
return response

The Set-Cookie header of the view is fine:
cookie_name=; Domain=cookie_domain; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/

But the cookie isn't changed at all - it has the same value and expiry date ("end of session") as before logging out.

Does anyone have any ideas about why this is happening?

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/1c643254-9800-4978-a236-a67d40cb973d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Collin Anderson]

Could it be different paths or something? Or http vs https?

[Daniel Rus Morales]

Your code looks good. It seems to me you might have some middleware in your project, from the external authentication, that places the cookie. Think that the response in your view still have to pass through the middleware in its way out to the browser.

Just guessing.

On 24 Sep 2014, at 16:40, Tao Bror Bojlén <brorb...@gmail.com> wrote:

> Everything's https, and it's the same path.
> Here's the cookie before going to the logout view, and the cookie header
> of that view: http://imgur.com/a/idlVT
>
> As far as I can tell, they match, but the cookie isn't changed at all.

>
>
> On 24/09/2014 15:33, Collin Anderson wrote:
>> Could it be different paths or something? Or http vs https?

>> --
>> You received this message because you are subscribed to a topic in the

>> Google Groups "Django users" group.

>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/django-users/Glpa_myOGSw/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> django-users...@googlegroups.com
>> <mailto:django-users...@googlegroups.com>.

>> To post to this group, send email to django...@googlegroups.com

>> <mailto:django...@googlegroups.com>.

>> Visit this group at http://groups.google.com/group/django-users.
>> To view this discussion on the web visit

>> https://groups.google.com/d/msgid/django-users/7c23a976-8000-4ce7-a488-42cc0bee8510%40googlegroups.com
>> <https://groups.google.com/d/msgid/django-users/7c23a976-8000-4ce7-a488-42cc0bee8510%40googlegroups.com?utm_medium=email&utm_source=footer>.

>> For more options, visit https://groups.google.com/d/optout.
>

> --
> You received this message because you are subscribed to the Google Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
> To post to this group, send email to django...@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-users.

> To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/5422D7CD.1040803%40gmail.com.

[Daniel Rus Morales]

Did you try to remove the last subdomain and call again delete_cookie? Just curious.

On 26 Sep 2014, at 19:56, Tao Bojlen <brorb...@gmail.com> wrote:

I fixed this by using set_cookie() with a manually entered expiry date, rather than delete_cookie(). Additionally, if I set the domain in Django, it prefixed a period which meant that it didn't match the existing cookie. I didn't enter a domain and it used the default, which worked.

On Tuesday, September 23, 2014 6:09:57 PM UTC+1, Tao Bojlen wrote:

Hi,

I'm using a custom authentication backend for my Django project, and in order to log out I have to delete a cookie that's set by the (external) authentication site.
Here is my view code:

response = django_logout(request,
                         next_page=post_logout_url)
response.delete_cookie('cookie_name',
                        domain="cookie_domain")
return response

The Set-Cookie header of the view is fine:
cookie_name=; Domain=cookie_domain; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/

But the cookie isn't changed at all - it has the same value and expiry date ("end of session") as before logging out.

Does anyone have any ideas about why this is happening?

-- 
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/b0c48f1c-4757-4298-a0b0-ec960f185662%40googlegroups.com.