id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
29450	"Redirect using HTTP status ""303 See Other"" for django.http.response HttpResponseRedirect"	Duane Hutchins	nobody	"Regarding: [https://docs.djangoproject.com/en/2.0/_modules/django/http/response/#HttpResponseRedirect django.http.response HttpResponseRedirect]

Current redirects use http status 302, which is fine most of the time, but it can cause issues if browser caching is permitted.

For example:

* Cache-Control allows caching globally
* User is logged in
* User logs out (GET response = 302 redirect)
* This response is cached by the browser
* User logs back in
* User attempts to log out again
* Browse serves cached response from disk and redirects without request revalidation
* Result: User is not actually logged out

Caching breaks the response, which is why HTTP Status 303 redirects do not allow caching. They are more appropriate than 302 redirects.
https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3.3

Note that 303 redirects are not HTTP/1.0 compatible. A quick check shows that every modern browser now supports http/1.1 or higher. Still, 302 redirect responses can still be served for http/1.0 requests, if that's a concern.

Two other tickets (#13277 and #6227) requested this fix 8+ years ago, and they were closed because http/1.0 was still in common use at the time.

Now that http/1.0 is no longer in common use, can we change this redirect to 303?"	Cleanup/optimization	closed	HTTP handling	dev	Normal	duplicate	http redirect 302 303		Unreviewed	0	0	0	0	1	0