I have a site running Django 1.6 using a custom authentication backend (CoSign). Authentication works, but to log out I need to delete a cookie.
This is the cookie before logging out, using Firebug:
- Name: cookie_name
- Domain: cookie_domain
- Path: /
- Expires: Session
- Security: Secure
Here is my logout view:
from django.contrib.auth.views import logout as django_logout
def logout(request):
if request.user.is_authenticated():
response = django_logout(
request,
next_page=reverse("logout-confirmation")
)
response.delete_cookie(
'cookie_name',
domain="cookie_domain"
)
return response
else:
messages.add_message(
request,
messages.ERROR,
"You can't log out if you aren't logged "
"in first!"
)
return HttpResponseRedirect(reverse("frontpage"))
cookie_name and cookie_domain in my code match the actual name and domain of the cookie.
Here are the response headers of the logout view:
Connection: "close"
Content-Length: "0"
Set-Cookie: "{{ cookie_name }}=; Domain={{ cookie_domain }}; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/sessionid=25lysb3tzhozv464mrgg08uqz100ur39; expires=Mon, 15-Sep-2014 19:07:22 GMT; httponly; Max-Age=1209600; Path=/"
Vary: "Cookie"
After going to my logout view, however, the cookie still exists! Can anyone shed some light on why this happens?
I fixed this by using
set_cookie()
with a manually entered expiry date, rather thandelete_cookie()
. Additionally, if I set the domain in Django, it prefixed a period which meant that it didn't match the existing cookie. I didn't enter a domain and it used the default, which worked.