Changes between Version 1 and Version 2 of Ticket #23939


Ignore:
Timestamp:
11/30/2014 07:00:46 PM (7 years ago)
Author:
Andrew Badr
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #23939 – Description

    v1 v2  
    1 Setting a "Vary: Cookie" header when unnecessary is bad for reasons described in e.g. #3586, #6552. It seems that the recently-introduced and on-by-default SessionAuthenticationMiddleware causes this header to always be set. This seems to be caused by the `hasattr(user, 'get_session_auth_hash')` check here: https://github.com/django/django/blob/1.7.1/django/contrib/auth/middleware.py#L34.
     1Setting a "Vary: Cookie" header when unnecessary is bad for reasons described in e.g. #3586, #6552. It seems that the recently-introduced and on-by-default SessionAuthenticationMiddleware causes this header to always be set. This seems to be caused by the `hasattr(user, 'get_session_auth_hash')` call at https://github.com/django/django/blob/1.7.1/django/contrib/auth/middleware.py#L34.
    22
    33To reproduce: start a new empty project with django-admin.py, request the index page, and see that the Vary: Cookie header is present. Commenting-out the middleware's line in settings.py causes the header to disappear.
    44
    5 It might be good to add a general test case verifying that the above steps never set a Vary: Cookie header.
     5It might be good to add a general test case verifying that the default page never sets a Vary: Cookie header.
Back to Top