`cookies_to_delete` is always an empty list

[kevinrenskers]

When BasketMiddleware adds something to request.cookies_to_delete, it is never actually deleted inside of ApiBasketMiddleWare.process_response. This is because ApiBasketMiddleWare.__call__ calls super(ApiBasketMiddleWare, self).__call__(request), which also has the line request.cookies_to_delete = [] (see here).

So the result of this is that cookies that should be getting deleted are not getting deleted. For example, when I am logged in as a user and then log out, the oscar_open_basket cookie still has a basket_id value of the logged in user's basket. And BasketMiddleware doesn't recognize such a basket for anonymous users:

    def get_cookie_basket(self, cookie_key, request, manager):
        """
        Looks for a basket which is referenced by a cookie.

        If a cookie key is found with no matching basket, then we add
        it to the list to be deleted.
        """
        basket = None
        if cookie_key in request.COOKIES:
            basket_hash = request.COOKIES[cookie_key]
            try:
                basket_id = Signer().unsign(basket_hash)
                basket = Basket.objects.get(pk=basket_id, owner=None,
                                            status=Basket.OPEN)
            except (BadSignature, Basket.DoesNotExist):
                request.cookies_to_delete.append(cookie_key)
        return basket

As you can see, it filters on owner=None and since the basket in the cookie still belongs to someone, it doesn't find the basket, creates a brand new basket, and it also want to delete the cookie. But this deletion does not happen.