From 3c659856eb9d5a45e02213f1e8f9fcbb03bd12cf Mon Sep 17 00:00:00 2001
From: Bo Lopker <blopker@23andme.com>
Date: Wed, 13 May 2015 23:22:42 -0700
Subject: [PATCH] [1.8.x] Fixed #24799 -- Fixed session cookie deletion when
 using SESSION_COOKIE_DOMAIN

Backport of 2dee853ed4def42b7ef1b3b472b395055543cc00 from master
---
 django/contrib/sessions/middleware.py |  3 ++-
 docs/releases/1.8.2.txt               |  3 +++
 tests/sessions_tests/tests.py         | 29 +++++++++++++++++++++++++++
 3 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/django/contrib/sessions/middleware.py b/django/contrib/sessions/middleware.py
index 69ca669033..c21036b124 100644
--- a/django/contrib/sessions/middleware.py
+++ b/django/contrib/sessions/middleware.py
@@ -31,7 +31,8 @@ class SessionMiddleware(object):
             # First check if we need to delete this cookie.
             # The session should be deleted only if the session is entirely empty
             if settings.SESSION_COOKIE_NAME in request.COOKIES and empty:
-                response.delete_cookie(settings.SESSION_COOKIE_NAME)
+                response.delete_cookie(settings.SESSION_COOKIE_NAME,
+                    domain=settings.SESSION_COOKIE_DOMAIN)
             else:
                 if accessed:
                     patch_vary_headers(response, ('Cookie',))
diff --git a/docs/releases/1.8.2.txt b/docs/releases/1.8.2.txt
index f14036b51f..3682126aa1 100644
--- a/docs/releases/1.8.2.txt
+++ b/docs/releases/1.8.2.txt
@@ -30,3 +30,6 @@ Bugfixes
 
 * Fixed a MySQL crash when a migration removes a combined index (unique_together
   or index_together) containing a foreign key (:ticket:`24757`).
+
+* Fixed session cookie deletion when using :setting:`SESSION_COOKIE_DOMAIN`
+  (:ticket:`24799`).
diff --git a/tests/sessions_tests/tests.py b/tests/sessions_tests/tests.py
index f6c5933da4..d9e6817976 100644
--- a/tests/sessions_tests/tests.py
+++ b/tests/sessions_tests/tests.py
@@ -610,6 +610,35 @@ class SessionMiddlewareTests(TestCase):
             str(response.cookies[settings.SESSION_COOKIE_NAME])
         )
 
+    @override_settings(SESSION_COOKIE_DOMAIN='.example.local')
+    def test_session_delete_on_end_with_custom_domain(self):
+        request = RequestFactory().get('/')
+        response = HttpResponse('Session test')
+        middleware = SessionMiddleware()
+
+        # Before deleting, there has to be an existing cookie
+        request.COOKIES[settings.SESSION_COOKIE_NAME] = 'abc'
+
+        # Simulate a request that ends the session
+        middleware.process_request(request)
+        request.session.flush()
+
+        # Handle the response through the middleware
+        response = middleware.process_response(request, response)
+
+        # Check that the cookie was deleted, not recreated.
+        # A deleted cookie header with a custom domain looks like:
+        #  Set-Cookie: sessionid=; Domain=.example.local;
+        #              expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/
+        self.assertEqual(
+            'Set-Cookie: {}={}; Domain=.example.local; expires=Thu, '
+            '01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/'.format(
+                settings.SESSION_COOKIE_NAME,
+                '""' if sys.version_info >= (3, 5) else '',
+            ),
+            str(response.cookies[settings.SESSION_COOKIE_NAME])
+        )
+
 
 # Don't need DB flushing for these tests, so can use unittest.TestCase as base class
 class CookieSessionTests(SessionTestsMixin, unittest.TestCase):