id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 29946 Weird session behavior after upgrading to Django 1.11.16 Tim Abbott nobody "Upgrading from Django 1.11.14 to Django 1.11.16 last week seems to have introduced a weird and serious password reset + session bug issue in Zulip (https://zulipchat.com). What we experienced was at follows: * A user reset their password using the Django password reset form, and completes the flow. This part of the reproduction recipe seems to be essential. * That user then logs in with their new password. The login completes, and e.g. sends new-login emails from our processor for the `user_logged_in` signal. * Immediately after the login completes, all API requests fail with the server returning the standard 401 error for ""no session"", aka `request.user.is_authenticated` being False. * Looking at a browser console, the browser is sending cookies. * Inspecting the database using our standard session debugging code: https://github.com/zulip/zulip/blob/master/zerver/lib/sessions.py#L25, there are no sessions associated with the user after this login process. * This was highly reproducible for us. While I'm not 100% sure that the Django upgrade is what caused the problem (just because I haven't been able to reproduce it in our development environment), but the following is very suspicious: * Reverting to 1.11.14 fixed the problem for all the previously affected users who we've talked to (still waiting to hear back from a few more for further confirmation). * We haven't made any changes to our own password reset code in months. * During the same period after we took the Django upgrade, we started seeing this new exception in our error emails, which is in the database code for session updates and thus could be triggered by the changes in 1.11.16: {{{ Traceback (most recent call last): File ""/home/zulip/deployments/2018-11-12-02-10-23/zulip-py3-venv/lib/python3.5/site-packages/django/contrib/sessions/backends/db.py"", line 87, in save obj.save(force_insert=must_create, force_update=not must_create, using=using) File ""/home/zulip/deployments/2018-11-12-02-10-23/zulip-py3-venv/lib/python3.5/site-packages/django/db/models/base.py"", line 808, in save force_update=force_update, update_fields=update_fields) File ""/home/zulip/deployments/2018-11-12-02-10-23/zulip-py3-venv/lib/python3.5/site-packages/django/db/models/base.py"", line 838, in save_base updated = self._save_table(raw, cls, force_insert, force_update, using, update_fields) File ""/home/zulip/deployments/2018-11-12-02-10-23/zulip-py3-venv/lib/python3.5/site-packages/django/db/models/base.py"", line 907, in _save_table raise DatabaseError(""Forced update did not affect any rows."") django.db.utils.DatabaseError: Forced update did not affect any rows. During handling of the above exception, another exception occurred: Traceback (most recent call last): File ""/home/zulip/deployments/2018-11-12-02-10-23/zulip-py3-venv/lib/python3.5/site-packages/django/core/handlers/exception.py"", line 41, in inner response = get_response(request) File ""/home/zulip/deployments/2018-11-12-02-10-23/zulip-py3-venv/lib/python3.5/site-packages/django/utils/deprecation.py"", line 142, in __call__ response = self.process_response(request, response) File ""./zerver/middleware.py"", line 389, in process_response request.session.save() File ""/home/zulip/deployments/2018-11-12-02-10-23/zulip-py3-venv/lib/python3.5/site-packages/django/contrib/sessions/backends/cached_db.py"", line 63, in save super(SessionStore, self).save(must_create) File ""/home/zulip/deployments/2018-11-12-02-10-23/zulip-py3-venv/lib/python3.5/site-packages/django/contrib/sessions/backends/db.py"", line 94, in save raise UpdateError django.contrib.sessions.backends.base.UpdateError }}} I'm happy to do further debugging to help get to the bottom of this." Bug new contrib.auth 1.11 Release blocker Unreviewed 0 0 0 0 0 0