id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 29471 Set-Cookie response is cached for deleting invalid session cookies Duane Hutchins birthdaysgift "Regarding: [https://docs.djangoproject.com/en/2.0/_modules/django/contrib/sessions/middleware/#SessionMiddleware django.contrib.sessions.middleware.SessionMiddleware] and [https://docs.djangoproject.com/en/2.0/_modules/django/utils/cache/#learn_cache_key django.utils.cache] Using the SessionMiddleware and caching, if an invalid sessionid (i.e. an empty session) is passed via cookie, the SessionMiddleware responds by deleting the cookie, and this response is cached without Vary: Cookie, so all subsequent authenticated requests also receive that delete-session-cookie header. The end result is that if a cache-enabled page receives a request using an invalid session id, that page will log out all users who visit that page until that cache expires/purges. To duplicate: * Enable caching and sessions as normal. * Visit a cache-enabled page which shows different content for users who are logged in vs not logged in. * Log in via browser * Change your browser's sessionid cookie value via Chrome Developer Tools or whatever. * Refresh your browser * The browser is told to delete the invalid cookie (correct). * Log in again. Refresh again (if necessary). * The login is successful, however, the browser is instructed to delete the session cookie (incorrect). * The user is logged out * The same logout happens for all users visit that page -- until cache expires If I decorate the aforementioned page view with @vary_on_cookie (which inserts the Vary:Cookie header), then the issue is resolved. Possible solutions I can think of: * SessionMiddleware adds Vary:Cookie when deleting invalid session cookies * Cache Util assumes Vary:Cookie when response includes Set-Cookie header." Bug closed contrib.sessions 2.0 Normal fixed empty session cache Herbert Fortes Martin H. Ready for checkin 1 0 0 0 0 0