Opened 4 weeks ago

Last modified 3 weeks ago

#28948 assigned Bug

CookieStorage performance issues

Reported by: Michal Čihař Owned by: Srinivas Reddy Thatiparthy
Component: contrib.messages Version: 2.0
Severity: Normal Keywords:
Cc: Adam (Chainz) Johnson, Sergey Fedoseev Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


The CookieStorage tries to generate as big cookie as possible to fit all messages. However doing this on lot of small messages is very expensive and can take several seconds on the server, potentially leading to denial of service.

Here is simple code to reproduce the slowness:

#!/usr/bin/env python

# Configure needed settings
from django.conf import settings

from django.contrib.sessions.middleware import SessionMiddleware
from django.contrib.messages.middleware import MessageMiddleware
from import CookieStorage
from django.contrib.messages.api import info
from django.http.request import HttpRequest
from django.http.response import HttpResponse
from import default_storage

# Request and response objects
response = HttpResponse()
request = HttpRequest()

# Process request by middleware
mm = MessageMiddleware()

# Insert messages
for x in range(500):
    info(request, 'm:{0}'.format(x))

# Measure response processing time
import timeit
    'mm.process_response(request, response)',
    globals=globals(), number=10

In my case the DOS was triggered by broken client who repeatedly posted form generating message, but never did follow redirect to display the messages, so nothing really sophisticated.

Quickly looking at the code following performance improvements come to my mind:

  • Avoid repeated encoding of the messages, encode them all at once and then operate on encoded strings
  • Avoid calculating HMAC while calculating length as length of it is fixed
  • Do bisect instead of removing messages one by one

Change History (4)

comment:1 Changed 4 weeks ago by Adam (Chainz) Johnson

Cc: Adam (Chainz) Johnson added

comment:2 Changed 4 weeks ago by Sergey Fedoseev

Cc: Sergey Fedoseev added

comment:3 Changed 3 weeks ago by Tim Graham

Triage Stage: UnreviewedAccepted

comment:4 Changed 3 weeks ago by Srinivas Reddy Thatiparthy

Owner: changed from nobody to Srinivas Reddy Thatiparthy
Status: newassigned
Note: See TracTickets for help on using tickets.
Back to Top