search

pyepye / django-magiclink

Passwordless authentication for Django with magic links.
MIT License
105 stars 15 forks source link

Cookie not deleted with LoginVerify #9

Open efojs opened 3 years ago

efojs commented 3 years ago

Description

Debugging why cookie not deleted with LoginVerify if REQUIRE_SAME_BROWSER,
found that it is set properly: 

set-cookie: 
magiclink498=e214549f-0d66-491a-a494-20964daa649e; 
Path=/

But for deletion, browser gets this: 

set-cookie: 
magiclink498=""; 
expires=Thu, 01 Jan 1970 00:00:00 GMT; 
Max-Age=0; 
Path=e214549f-0d66-491a-a494-20964daa649e

Setting breakpoint after response.delete_cookie(cookie_name, magiclink.cookie_value) shows: 

(Pdb) response.cookies.values()
dict_values([<Morsel: magiclink498=""; expires=Thu, 01 Jan 1970 00:00:00 GMT; Max-Age=0; Path=e214549f-0d66-491a-a494-20964daa649e>])

While after response.set_cookie(cookie_name, magiclink.cookie_value):

(Pdb) response.cookies.values()
dict_values([<Morsel: magiclink498=e214549f-0d66-491a-a494-20964daa649e; Path=/>])

Question

Do you have any ideas why can it happen?
Can you recreate it?

System

MagicLink: ==1.0.4 Django: ==3.2.5 Python: 3.8

pyepye commented 3 years ago

Hi @efojs

Sorry if I'm not getting this but it looks like it's working as expected?

It's up to the browser to delete a cookie but the cookie value is getting set to "" and it's being set to expire at Thu, 01 Jan 1970 00:00:00 GMT which is the server side way of setting a cookie to delete.

There is a test which ensures this is what happens on LoginVerify: https://github.com/pyepye/django-magiclink/blob/master/tests/test_login_verify.py#L33-L34

Thanks Matt