Geek Answers Handbook

How to clear cookies for old SESSION_COOKIE_DOMAIN in Django

We recently changed our cookie domain (settings.SESSION_COOKIE_DOMAIN) from .com domain to .domain.com, and now this prevents Safari users from registering if they do not clear their cookies. The problem is that sessionid cookies are set for both domains.

Is there a way to clear or ignore the source domain, or is this the only way to advise users to clear cookies?

+4
source share
1 answer

This can happen if the SESSION_COOKIE_DOMAIN parameter is changed. (You said that SESSION_COOKE_PATH been changed).

The documentation for SESSION_COOKIE_DOMAIN contains the following warning:

SESSION_COOKIE_DOMAIN

Be careful when updating this setting at the production site. if you update this setting to enable cross-domain cookies on a site that previously used standard domain cookies, existing user cookies will be set to the old domain. This may make it impossible to log in while these cookies are stored.

This will happen if you go from:

 SESSION_COOKIE_DOMAIN = None

to

 SESSION_COOKIE_DOMAIN = '.domain.com'

As you said, on the client side there are now two cookies that will be sent to the server during the request, both cookies with the name sessionid . When Django browses cookies, it only has access to the Python dictionary, so it only sees one sessionid cookie, not the one that was sent.

I have not tested this, but some ideas for fixing the problem might be as follows:

  • Ask the user to delete the relevant cookies. Depending on the number of users and their skill level, this may not be a reasonable option. Asking them to delete ALL of their cookies is out of the question.

  • Wait for the expiration of the old cookies. By default, it looks like the sessionid cookie has a 14-day expiration date. Once old session cookies expire, they will no longer be sent with every request, allowing the new sessionid cookie to take effect.

  • Change the sessionid cookie sessionid and write your own Django middleware to handle both old and new sessionid cookies.

I did not test the last point, but it would be possible to change SESSION_COOKIE_NAME to something other than sessionid . Now this will not allow existing users to log in using existing sessionid cookies, so you will need to write your own middleware that could handle both sessionid cookies (for old cookies) and sessionidnew cookies for current logins.

Something like this will work:

 from django.utils.importlib import import_module from django.contrib.sessions import middleware from django.conf import settings class MySessionMiddleware(middleware.SessionMiddleware): def process_request(self, request): engine = import_module(settings.SESSION_ENGINE) session_key = request.COOKIES.get(settings.SESSION_COOKIE_NAME, None) if session_key is None: # Look for old cookie in request for auth purposes. session_key = request.COOKIES.get('sessionid', None) request.session = engine.SessionStore(session_key)

You need to replace SessionMiddleware with settings.py in MIDDLEWARE_CLASSES with this new middleware. For example: Change 'django.contrib.sessions.middleware.SessionMiddleware' to 'custommiddleware.MySessionMiddleware' , where custommiddleware.py is the file with the above code and is present in the project root folder (where the manage.py file is present)

Once enough time has passed and you are satisfied that all old sessionid cookies sessionid expired, you can do the opposite and return to using sessionid as your preferred cookie name for sessions, eventually removing specialist code that can handle two different types of sessionid cookies .

+7
source

More articles:


All Articles