From 38e69d1e32e2172f095a1b414afd135b5e2279e7 Mon Sep 17 00:00:00 2001
From: Richard Schreiber <schreiber@rami.io>
Date: Tue, 24 Mar 2026 09:20:52 +0100
Subject: [PATCH] change to helper delete_cookie_without_samesite

---
 src/pretix/helpers/cookies.py         |  5 ++++
 src/pretix/multidomain/middlewares.py | 38 ++++++++++++++++++++-------
 2 files changed, 33 insertions(+), 10 deletions(-)

diff --git a/src/pretix/helpers/cookies.py b/src/pretix/helpers/cookies.py
index aea7e0e37..067617385 100644
--- a/src/pretix/helpers/cookies.py
+++ b/src/pretix/helpers/cookies.py
@@ -20,6 +20,7 @@
 # <https://www.gnu.org/licenses/>.
 #
 import re
+from datetime import datetime
 
 from django.conf import settings
 
@@ -48,6 +49,10 @@ def set_cookie_without_samesite(request, response, key, *args, **kwargs):
         response.cookies[key]['Partitioned'] = True
 
 
+def delete_cookie_without_samesite(request, response, key, *args, **kwargs):
+    kwargs['expires'] = datetime.utcfromtimestamp(0).strftime("%a, %d %b %Y %H:%M:%S GMT")
+    set_cookie_without_samesite(request, response, key, *args, **kwargs)
+
 # Based on https://www.chromium.org/updates/same-site/incompatible-clients
 # Copyright 2019 Google LLC.
 # SPDX-License-Identifier: Apache-2.0
diff --git a/src/pretix/multidomain/middlewares.py b/src/pretix/multidomain/middlewares.py
index 2c1d1f598..e216584eb 100644
--- a/src/pretix/multidomain/middlewares.py
+++ b/src/pretix/multidomain/middlewares.py
@@ -33,7 +33,6 @@
 # License for the specific language governing permissions and limitations under the License.
 
 import time
-from datetime import datetime
 from urllib.parse import urlparse
 
 from django.conf import settings
@@ -56,7 +55,7 @@ from django.utils.http import http_date
 from django_scopes import scopes_disabled
 
 from pretix.base.models import Event, Organizer
-from pretix.helpers.cookies import set_cookie_without_samesite
+from pretix.helpers.cookies import delete_cookie_without_samesite, set_cookie_without_samesite
 from pretix.multidomain.models import KnownDomain
 
 LOCAL_HOST_NAMES = ('testserver', 'localhost')
@@ -177,9 +176,23 @@ class SessionMiddleware(BaseSessionMiddleware):
             # The session should be deleted only if the session is entirely empty
             is_secure = request.scheme == 'https'
             if '__Host-' + settings.SESSION_COOKIE_NAME in request.COOKIES and empty:
-                response.delete_cookie('__Host-' + settings.SESSION_COOKIE_NAME)
+                # response.delete_cookie does not work as we might have set a partitioned cookie
+                delete_cookie_without_samesite(
+                    request, response,
+                    '__Host-' + settings.SESSION_COOKIE_NAME,
+                    path=settings.SESSION_COOKIE_PATH,
+                    secure=is_secure,
+                    httponly=settings.SESSION_COOKIE_HTTPONLY or None
+                )
             elif settings.SESSION_COOKIE_NAME in request.COOKIES and empty:
-                response.delete_cookie(settings.SESSION_COOKIE_NAME)
+                # response.delete_cookie does not work as we might have set a partitioned cookie
+                delete_cookie_without_samesite(
+                    request, response,
+                    settings.SESSION_COOKIE_NAME,
+                    path=settings.SESSION_COOKIE_NAME,
+                    secure=is_secure,
+                    httponly=settings.SESSION_COOKIE_HTTPONLY or None
+                )
             else:
                 if accessed:
                     patch_vary_headers(response, ('Cookie',))
@@ -196,15 +209,21 @@ class SessionMiddleware(BaseSessionMiddleware):
                     if response.status_code != 500:
                         request.session.save()
                         if is_secure and settings.SESSION_COOKIE_NAME in request.COOKIES:  # remove legacy cookie
-                            response.delete_cookie(settings.SESSION_COOKIE_NAME)
-                            response.delete_cookie(settings.SESSION_COOKIE_NAME, samesite="None")
+                            # response.delete_cookie does not work as we might have set a partitioned cookie
+                            delete_cookie_without_samesite(
+                                request, response,
+                                settings.SESSION_COOKIE_NAME,
+                                path=settings.SESSION_COOKIE_PATH,
+                                secure=is_secure,
+                                httponly=settings.SESSION_COOKIE_HTTPONLY or None
+                            )
                         set_cookie_without_samesite(
                             request, response,
                             '__Host-' + settings.SESSION_COOKIE_NAME if is_secure else settings.SESSION_COOKIE_NAME,
                             request.session.session_key, max_age=max_age,
                             expires=expires,
                             path=settings.SESSION_COOKIE_PATH,
-                            secure=request.scheme == 'https',
+                            secure=is_secure,
                             httponly=settings.SESSION_COOKIE_HTTPONLY or None
                         )
         return response
@@ -252,12 +271,11 @@ class CsrfViewMiddleware(BaseCsrfMiddleware):
             is_secure = request.scheme == 'https'
             # Set the CSRF cookie even if it's already set, so we renew
             # the expiry timer.
-            if is_secure and settings.CSRF_COOKIE_NAME in request.COOKIES:  # remove legacy cookie
+            if is_secure:# and settings.CSRF_COOKIE_NAME in request.COOKIES:  # remove legacy cookie
                 # response.delete_cookie does not work as we might have set a partitioned cookie
-                set_cookie_without_samesite(
+                delete_cookie_without_samesite(
                     request, response,
                     settings.CSRF_COOKIE_NAME,
-                    expires=datetime.utcfromtimestamp(0).strftime("%a, %d %b %Y %H:%M:%S GMT"),
                     path=settings.CSRF_COOKIE_PATH,
                     secure=is_secure,
                     httponly=settings.CSRF_COOKIE_HTTPONLY