Changes between Version 1 and Version 2 of Ticket #23939
- Timestamp:
- Nov 30, 2014, 7:00:46 PM (9 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #23939 – Description
v1 v2 1 Setting a "Vary: Cookie" header when unnecessary is bad for reasons described in e.g. #3586, #6552. It seems that the recently-introduced and on-by-default SessionAuthenticationMiddleware causes this header to always be set. This seems to be caused by the `hasattr(user, 'get_session_auth_hash')` c heck here:https://github.com/django/django/blob/1.7.1/django/contrib/auth/middleware.py#L34.1 Setting a "Vary: Cookie" header when unnecessary is bad for reasons described in e.g. #3586, #6552. It seems that the recently-introduced and on-by-default SessionAuthenticationMiddleware causes this header to always be set. This seems to be caused by the `hasattr(user, 'get_session_auth_hash')` call at https://github.com/django/django/blob/1.7.1/django/contrib/auth/middleware.py#L34. 2 2 3 3 To reproduce: start a new empty project with django-admin.py, request the index page, and see that the Vary: Cookie header is present. Commenting-out the middleware's line in settings.py causes the header to disappear. 4 4 5 It might be good to add a general test case verifying that the above steps never seta Vary: Cookie header.5 It might be good to add a general test case verifying that the default page never sets a Vary: Cookie header.