Opened 9 years ago
Last modified 9 years ago
#23939 closed Bug
SessionAuthenticationMiddleware causes "Vary: Cookie" header no matter what — at Version 2
| Reported by: | Andrew Badr | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | 1.7 |
| Severity: | Release blocker | Keywords: | cookies |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
Setting a "Vary: Cookie" header when unnecessary is bad for reasons described in e.g. #3586, #6552. It seems that the recently-introduced and on-by-default SessionAuthenticationMiddleware causes this header to always be set. This seems to be caused by the hasattr(user, 'get_session_auth_hash') call at https://github.com/django/django/blob/1.7.1/django/contrib/auth/middleware.py#L34.
To reproduce: start a new empty project with django-admin.py, request the index page, and see that the Vary: Cookie header is present. Commenting-out the middleware's line in settings.py causes the header to disappear.
It might be good to add a general test case verifying that the default page never sets a Vary: Cookie header.
Change History (2)
comment:1 by , 9 years ago
| Description: | modified (diff) |
|---|
comment:2 by , 9 years ago
| Description: | modified (diff) |
|---|