Handling session cookie delete on logout #179
Description
Hi, I'm developing an application that uses Django as a backend with django rest framework and django-user-sessions packages.
I implemented a logout api view that logs out user with django built-in method, and would like to delete session cookie after logging out.
Expected Behavior
user-sessions middleware correctly deletes cookie
Current Behavior
the cookie is not deleted. Also, I manually delete the cookie in the logout api response, the behavior is overidden by the middleware that reset the expiration to the old expiration time.
Possible Solution
After the logout the session object has a user_id of None. I don't know if there is a reason to keep a cookie with a session without a user, or if removing it could break something, but otherwise the solution could be to delete the cookie instead of resetting it if the user_id is None.
Steps to Reproduce (for bugs)
Just login and logout, then check the sessionid cookie in your browser storage.
Your Environment
- Browser and version: Firefox 121
- Python version: 3.11.7
- Django version: 4.2.7
- django-otp version: 1.2.4
- django-user-sessions version: 2.0.0