Opened 2 years ago

Closed 2 years ago

#29450 closed Cleanup/optimization (duplicate)

Redirect using HTTP status "303 See Other" for django.http.response HttpResponseRedirect

Reported by: Duane Hutchins Owned by: nobody
Component: HTTP handling Version: master
Severity: Normal Keywords: http redirect 302 303
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no


Regarding: django.http.response HttpResponseRedirect

Current redirects use http status 302, which is fine most of the time, but it can cause issues if browser caching is permitted.

For example:

  • Cache-Control allows caching globally
  • User is logged in
  • User logs out (GET response = 302 redirect)
  • This response is cached by the browser
  • User logs back in
  • User attempts to log out again
  • Browse serves cached response from disk and redirects without request revalidation
  • Result: User is not actually logged out

Caching breaks the response, which is why HTTP Status 303 redirects do not allow caching. They are more appropriate than 302 redirects.

Note that 303 redirects are not HTTP/1.0 compatible. A quick check shows that every modern browser now supports http/1.1 or higher. Still, 302 redirect responses can still be served for http/1.0 requests, if that's a concern.

Two other tickets (#13277 and #6227) requested this fix 8+ years ago, and they were closed because http/1.0 was still in common use at the time.

Now that http/1.0 is no longer in common use, can we change this redirect to 303?

Change History (1)

comment:1 Changed 2 years ago by Tim Graham

Resolution: duplicate
Status: newclosed

The correct way to discuss a wontfix ticket is to start a discussion on the DevelopersMailingList. If there's consensus there to make the change, then we'll reopen one of the original tickets.

Note: See TracTickets for help on using tickets.
Back to Top