Also remove old domain-less api token cookie on logout, for existing sessions

2018-01-25 12:33:59 +01:00 · 2018-01-25 12:33:59 +01:00 · 622c0f2d08
--- a/src/olympia/accounts/views.py
+++ b/src/olympia/accounts/views.py
@ -325,6 +325,11 @@ class AuthenticateView(FxAConfigMixin, APIView):

 def logout_user(request, response):
    logout(request)
+    # The API_TOKEN_COOKIE needs to be deleted twice, one with specifying
+    # the domain, and one without. This is because it used to be set without
+    # the domain, so we still have users around with that version of the
+    # cookie.
+    response.delete_cookie(API_TOKEN_COOKIE)
    response.delete_cookie(
        API_TOKEN_COOKIE, domain=settings.SESSION_COOKIE_DOMAIN)