--- django/contrib/messages/storage/cookie.py.orig 2020-08-13 11:10:36.719177122 +0200 +++ django/contrib/messages/storage/cookie.py 2020-08-13 11:45:23.503463150 +0200 @@ -109,6 +109,8 @@ response.delete_cookie( self.cookie_name, domain=settings.SESSION_COOKIE_DOMAIN, + secure=settings.SESSION_COOKIE_SECURE or None, + httponly=settings.SESSION_COOKIE_HTTPONLY or None, samesite=settings.SESSION_COOKIE_SAMESITE, ) --- django/http/response.py.orig 2020-08-13 11:16:04.060627793 +0200 +++ django/http/response.py 2020-08-13 11:54:03.482476973 +0200 @@ -282,20 +282,28 @@ value = signing.get_cookie_signer(salt=key + salt).sign(value) return self.set_cookie(key, value, **kwargs) - def delete_cookie(self, key, path="/", domain=None, samesite=None): + def delete_cookie(self, key, path="/", domain=None, secure=False, httponly=False, samesite=None): # Browsers can ignore the Set-Cookie header if the cookie doesn't use # the secure flag and: # - the cookie name starts with "__Host-" or "__Secure-", or # - the samesite is "none". - secure = key.startswith(("__Secure-", "__Host-")) or ( - samesite and samesite.lower() == "none" - ) + if key in self.cookies: + domain = self.cookies[key].get("domain", domain) + secure = self.cookies[key].get("secure", secure) + httponly = self.cookies[key].get("httponly", httponly) + samesite = self.cookies[key].get("samesite", samesite) + else: + secure = secure or ( + key.startswith(("__Secure-", "__Host-")) or + (samesite and samesite.lower() == "none") + ) self.set_cookie( key, max_age=0, path=path, domain=domain, secure=secure, + httponly=httponly, expires="Thu, 01 Jan 1970 00:00:00 GMT", samesite=samesite, ) --- django/contrib/sessions/middleware.py.orig 2020-08-13 12:12:12.401898114 +0200 +++ django/contrib/sessions/middleware.py 2020-08-13 12:14:52.690520659 +0200 @@ -38,6 +38,8 @@ settings.SESSION_COOKIE_NAME, path=settings.SESSION_COOKIE_PATH, domain=settings.SESSION_COOKIE_DOMAIN, + secure=settings.SESSION_COOKIE_SECURE or None, + httponly=settings.SESSION_COOKIE_HTTPONLY or None, samesite=settings.SESSION_COOKIE_SAMESITE, ) patch_vary_headers(response, ("Cookie",))