Opened 5 years ago

Closed 5 years ago

#29728 closed Cleanup/optimization (fixed)

CSRF_USE_SESSIONS leads to session save on every request using csrf

Reported by: Michal Čihař Owned by: nobody
Component: CSRF Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


The way CSRF saving in the session is currently implemented leads to updating session with every request which uses csrf tokens. Having many CSRF protected forms on the site leads to session update with almost every request. IMHO this is not really needed and it should update the session only if needed.

Change History (4)

comment:1 Changed 5 years ago by Claude Paroz

Has patch: set
Needs tests: set
Triage Stage: UnreviewedAccepted

comment:2 Changed 5 years ago by Michal Čihař

Needs tests: unset

comment:3 Changed 5 years ago by Simon Charette

Triage Stage: AcceptedReady for checkin

Patch should be RFC once the minor changes are addressed. Maybe it's something worth mentioning in the release notes?

comment:4 Changed 5 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: newclosed

In 22e8ab02:

Fixed #29728 -- Prevented session resaving if CSRF cookie is unchanged.

Note: See TracTickets for help on using tickets.
Back to Top