Skip to content

WSGI/ASGI 2 Set-Cookie headers problem #15

New issue
New issue
Open
Open
WSGI/ASGI 2 Set-Cookie headers problem#15
@Risac79

Description

@Risac79
Risac79
opened on Aug 5, 2024

Describe the bug
While the standard server (e.g. uvicorn, gunicorn) will on successful login return 2 Set-Cookie headers, (CSRF token + other info) and sessionid, IRIS WSGI combines the two Set-Cookie headers into one, causing browser to ignore sessionid from the single Set-Cookie header.

Note the difference:

UVICORN:
image

IRIS WSGI:

image

And the Cookie store:

image

Workaround:

user_obj = authenticate(username=request.POST['username'],
                        password=request.POST['password'])
if user_obj:
    login(request, user_obj)
    response = redirect("index")
    # Add your custom header
    # Extract the sessionid from the Set-Cookie header
    sessionid = request.session.session_key

    if sessionid:
        # Add the sessionid as a separate Set-Cookie header
        response.set_cookie('sessionid', sessionid, httponly=True)

    return response

After Workaround:

image

Browser cookie storage:
image

While this solves some of the async content problems in the applications, POST was not working correctly. Possibly due to CSRF token being pushed to the back of Set-Cookie.

For more details, see:

https://community.intersystems.com/post/cookie-monster-and-other-troubles-and-some-workarounds-too-we-ran-while-doing-django-iris-wsgi#comment-267576

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions