Opened 4 years ago

Last modified 6 months ago

#28948 new Bug

CookieStorage performance issues

Reported by: Michal Čihař Owned by:
Component: contrib.messages Version: 2.0
Severity: Normal Keywords:
Cc: Adam Johnson Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


The CookieStorage tries to generate as big cookie as possible to fit all messages. However doing this on lot of small messages is very expensive and can take several seconds on the server, potentially leading to denial of service.

Here is simple code to reproduce the slowness:

#!/usr/bin/env python

# Configure needed settings
from django.conf import settings

from django.contrib.sessions.middleware import SessionMiddleware
from django.contrib.messages.middleware import MessageMiddleware
from import CookieStorage
from django.contrib.messages.api import info
from django.http.request import HttpRequest
from django.http.response import HttpResponse
from import default_storage

# Request and response objects
response = HttpResponse()
request = HttpRequest()

# Process request by middleware
mm = MessageMiddleware()

# Insert messages
for x in range(500):
    info(request, 'm:{0}'.format(x))

# Measure response processing time
import timeit
    'mm.process_response(request, response)',
    globals=globals(), number=10

In my case the DOS was triggered by broken client who repeatedly posted form generating message, but never did follow redirect to display the messages, so nothing really sophisticated.

Quickly looking at the code following performance improvements come to my mind:

  • Avoid repeated encoding of the messages, encode them all at once and then operate on encoded strings
  • Avoid calculating HMAC while calculating length as length of it is fixed
  • Do bisect instead of removing messages one by one

Change History (6)

comment:1 Changed 4 years ago by Adam Johnson

Cc: Adam Johnson added

comment:2 Changed 4 years ago by Sergey Fedoseev

Cc: Sergey Fedoseev added

comment:3 Changed 4 years ago by Tim Graham

Triage Stage: UnreviewedAccepted

comment:4 Changed 4 years ago by Srinivas Reddy Thatiparthy

Owner: changed from nobody to Srinivas Reddy Thatiparthy
Status: newassigned

comment:5 Changed 6 months ago by Mariusz Felisiak

Owner: Srinivas Reddy Thatiparthy deleted
Status: assignednew

comment:6 Changed 6 months ago by Sergey Fedoseev

Cc: Sergey Fedoseev removed
Note: See TracTickets for help on using tickets.
Back to Top