change to helper delete_cookie_without_samesite

2026-03-24 09:20:52 +01:00
parent 777b504bbe
commit 38e69d1e32
2 changed files with 33 additions and 10 deletions
--- a/src/pretix/helpers/cookies.py
+++ b/src/pretix/helpers/cookies.py
@@ -20,6 +20,7 @@
 # <https://www.gnu.org/licenses/>.
 #
 import re
+from datetime import datetime

 from django.conf import settings

@@ -48,6 +49,10 @@ def set_cookie_without_samesite(request, response, key, *args, **kwargs):
        response.cookies[key]['Partitioned'] = True


+def delete_cookie_without_samesite(request, response, key, *args, **kwargs):
+    kwargs['expires'] = datetime.utcfromtimestamp(0).strftime("%a, %d %b %Y %H:%M:%S GMT")
+    set_cookie_without_samesite(request, response, key, *args, **kwargs)
+
 # Based on https://www.chromium.org/updates/same-site/incompatible-clients
 # Copyright 2019 Google LLC.
 # SPDX-License-Identifier: Apache-2.0
--- a/src/pretix/multidomain/middlewares.py
+++ b/src/pretix/multidomain/middlewares.py
@@ -33,7 +33,6 @@
 # License for the specific language governing permissions and limitations under the License.

 import time
-from datetime import datetime
 from urllib.parse import urlparse

 from django.conf import settings
@@ -56,7 +55,7 @@ from django.utils.http import http_date
 from django_scopes import scopes_disabled

 from pretix.base.models import Event, Organizer
-from pretix.helpers.cookies import set_cookie_without_samesite
+from pretix.helpers.cookies import delete_cookie_without_samesite, set_cookie_without_samesite
 from pretix.multidomain.models import KnownDomain

 LOCAL_HOST_NAMES = ('testserver', 'localhost')
@@ -177,9 +176,23 @@ class SessionMiddleware(BaseSessionMiddleware):
            # The session should be deleted only if the session is entirely empty
            is_secure = request.scheme == 'https'
            if '__Host-' + settings.SESSION_COOKIE_NAME in request.COOKIES and empty:
-                response.delete_cookie('__Host-' + settings.SESSION_COOKIE_NAME)
+                # response.delete_cookie does not work as we might have set a partitioned cookie
+                delete_cookie_without_samesite(
+                    request, response,
+                    '__Host-' + settings.SESSION_COOKIE_NAME,
+                    path=settings.SESSION_COOKIE_PATH,
+                    secure=is_secure,
+                    httponly=settings.SESSION_COOKIE_HTTPONLY or None
+                )
            elif settings.SESSION_COOKIE_NAME in request.COOKIES and empty:
-                response.delete_cookie(settings.SESSION_COOKIE_NAME)
+                # response.delete_cookie does not work as we might have set a partitioned cookie
+                delete_cookie_without_samesite(
+                    request, response,
+                    settings.SESSION_COOKIE_NAME,
+                    path=settings.SESSION_COOKIE_NAME,
+                    secure=is_secure,
+                    httponly=settings.SESSION_COOKIE_HTTPONLY or None
+                )
            else:
                if accessed:
                    patch_vary_headers(response, ('Cookie',))
@@ -196,15 +209,21 @@ class SessionMiddleware(BaseSessionMiddleware):
                    if response.status_code != 500:
                        request.session.save()
                        if is_secure and settings.SESSION_COOKIE_NAME in request.COOKIES:  # remove legacy cookie
-                            response.delete_cookie(settings.SESSION_COOKIE_NAME)
-                            response.delete_cookie(settings.SESSION_COOKIE_NAME, samesite="None")
+                            # response.delete_cookie does not work as we might have set a partitioned cookie
+                            delete_cookie_without_samesite(
+                                request, response,
+                                settings.SESSION_COOKIE_NAME,
+                                path=settings.SESSION_COOKIE_PATH,
+                                secure=is_secure,
+                                httponly=settings.SESSION_COOKIE_HTTPONLY or None
+                            )
                        set_cookie_without_samesite(
                            request, response,
                            '__Host-' + settings.SESSION_COOKIE_NAME if is_secure else settings.SESSION_COOKIE_NAME,
                            request.session.session_key, max_age=max_age,
                            expires=expires,
                            path=settings.SESSION_COOKIE_PATH,
-                            secure=request.scheme == 'https',
+                            secure=is_secure,
                            httponly=settings.SESSION_COOKIE_HTTPONLY or None
                        )
        return response
@@ -252,12 +271,11 @@ class CsrfViewMiddleware(BaseCsrfMiddleware):
            is_secure = request.scheme == 'https'
            # Set the CSRF cookie even if it's already set, so we renew
            # the expiry timer.
-            if is_secure and settings.CSRF_COOKIE_NAME in request.COOKIES:  # remove legacy cookie
+            if is_secure:# and settings.CSRF_COOKIE_NAME in request.COOKIES:  # remove legacy cookie
                # response.delete_cookie does not work as we might have set a partitioned cookie
-                set_cookie_without_samesite(
+                delete_cookie_without_samesite(
                    request, response,
                    settings.CSRF_COOKIE_NAME,
-                    expires=datetime.utcfromtimestamp(0).strftime("%a, %d %b %Y %H:%M:%S GMT"),
                    path=settings.CSRF_COOKIE_PATH,
                    secure=is_secure,
                    httponly=settings.CSRF_COOKIE_HTTPONLY