#29450 closed Cleanup/optimization (duplicate)

Redirect using HTTP status "303 See Other" for django.http.response HttpResponseRedirect

Reported by: Duane Hutchins Owned by: nobody
Component: HTTP handling Version: master
Severity: Normal Keywords: http redirect 302 303
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

Regarding: django.http.response HttpResponseRedirect

Current redirects use http status 302, which is fine most of the time, but it can cause issues if browser caching is permitted.

For example:

  • Cache-Control allows caching globally
  • User is logged in
  • User logs out (GET response = 302 redirect)
  • This response is cached by the browser
  • User logs back in
  • User attempts to log out again
  • Browse serves cached response from disk and redirects without request revalidation
  • Result: User is not actually logged out

Caching breaks the response, which is why HTTP Status 303 redirects do not allow caching. They are more appropriate than 302 redirects.
https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3.3

Note that 303 redirects are not HTTP/1.0 compatible. A quick check shows that every modern browser now supports http/1.1 or higher. Still, 302 redirect responses can still be served for http/1.0 requests, if that's a concern.

Two other tickets (#13277 and #6227) requested this fix 8+ years ago, and they were closed because http/1.0 was still in common use at the time.

Now that http/1.0 is no longer in common use, can we change this redirect to 303?

Change History (1)

comment:1 Changed 15 months ago by Tim Graham

Resolution: duplicate
Status: newclosed

The correct way to discuss a wontfix ticket is to start a discussion on the DevelopersMailingList. If there's consensus there to make the change, then we'll reopen one of the original tickets.

Note: See TracTickets for help on using tickets.
Back to Top