Opened 6 years ago

Last modified 6 years ago

#29971 closed Cleanup/optimization

Sessions setting vary cookie without providing a cookie — at Initial Version

Reported by: Jd Collins Owned by: Jd Collins
Component: contrib.sessions Version: 2.1
Severity: Normal Keywords: Sessions Vary Header Cookie
Cc: Triage Stage: Someday/Maybe
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

While reviewing process_response I believe the code is trying to accomplish the following things:

  1. Determine if the session has been accessed.
  2. Determine if the session has been modified.
  3. Determine if the session is empty.
  4. If the session cookie is in the cookies but is empty remove the session cookie.
  5. Else if not 4. then if the session has been accessed then patch the vary header to add Cookie.
  6. If the session has been modified or settings dictate that we always save the session and the session is not empty then we setup some cookie attributes, save the session, and set the cookie in the response.
  7. Return the response.

Possible issues in the current behavior:

  1. As reported in 29471, step 4 in the current behavior is responding in a way that sets the cookie to a blank value and expired but not setting the vary on cookie so this response can be cached for a requests causing authenticated sessions to be logged out.
  2. Step 5 in the current behavior, accessed is always True when using auth as a result of: django/contrib/auth/middleware.py in get_user. I am not sure how accessing the session alone is enough reason to vary on cookie regardless of why it was accessed?
  3. Step 5 in the current behavior, adds the vary cookie header even if the session is empty and will not be setting a cookie. This is problematic for caching since you are requiring a unique session based cache even if the session is empty.

Proposed behavior:

  1. Determine if the session has been accessed. (Not sure if this is providing much value for a vary header perspective but leaving it).
  2. Determine if the session has been modified.
  3. Determine if the session is empty.
  4. If the session cookie is in the cookies but is empty remove the session cookie. Also set the vary cookie to address potential issue #1.
  5. Else if the session has been modified or settings dictate that we always save the session and the session is not empty then we setup some cookie attributes, save the session, and set the cookie in the response. Also set the vary cookie.
  6. Else if the session is not empty the set the vary cookie.
  7. Return response.

Related Ticket(s)
https://code.djangoproject.com/ticket/29471

Change History (0)

Note: See TracTickets for help on using tickets.
Back to Top