session.flush should not delete the old session
|Reported by:||Glenn||Owned by:||nobody|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||yes|
Flushing and cycling the session should empty the data in the session and create a new key, but should not delete the old key.
1: JS kicks off a periodic AJAX request to update something, which is delayed in transit.
2: User submits an AJAX login form, which calls auth.login, calling session.flush or session.cycle_key. The AJAX response sets a new session cookie for the user.
3: The async request from #1 makes it to the server. This still has the old cookie, since it started before #2 finished. contrib.session doesn't recognize the cookie, since the previous request deleted it. It thinks it's an expired or corrupt session cookie, and flushes the session again.
session.flush should leave the old session in the database, and just clear its data. That way, when #3 comes around, it won't be an unrecognized session, and it won't trigger a session flush. Let the old session row expire on its own, like any idle session.
This doesn't change the definition of the function: "Removes the current session data from the database and regenerates the key."
This patch also fixes and tests session.cycle_key() raising an error if no session already existed; accessing self._session_cache raises AttributeError. This was triggering while I was writing the main test.
Change History (9)
Changed 6 years ago by Glenn
comment:1 Changed 6 years ago by Glenn
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
comment:3 Changed 6 years ago by Alex
- Triage Stage changed from Unreviewed to Design decision needed
comment:7 Changed 2 years ago by aaugustin
- Triage Stage changed from Design decision needed to Accepted