Opened 2 years ago

Last modified 2 years ago

#34173 closed Cleanup/optimization

SessionMiddleware only returns 400 or 500 error in case of DB issues. — at Initial Version

Reported by: SessionIssue Owned by: nobody
Component: contrib.sessions Version: 4.1
Severity: Normal Keywords:
Cc: Florian Apolloner, Anssi Kääriäinen Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

Hi guys,

I have the following situation. In one of my applications I'm having an issue with returning the right status code.
For example I had this situation where I wanted to list 1000 results, this normally takes a couple of seconds, but during this request, my DB went offline or got stuck for some reason. Currently, this resulted in a 500 status code.
As I have a custom controller that only retries tasks on specific status codes (like 503), I want to return a 503 status code (I also think that 503 is a more suitable one than 500 in this case), but this resulted in returning a 400 status code. The reason for that is the SessionMiddleware and particularly this part: 

if response.status_code != 500:
                    try:
                        request.session.save()
                    except UpdateError:
                        raise SessionInterrupted(
                            "The request's session was deleted before the "
                            "request completed. The user may have logged "
                            "out in a concurrent request, for example."
                        )
                    response.set_cookie(
                        settings.SESSION_COOKIE_NAME,
                        request.session.session_key, max_age=max_age,
                        expires=expires, domain=settings.SESSION_COOKIE_DOMAIN,
                        path=settings.SESSION_COOKIE_PATH,
                        secure=settings.SESSION_COOKIE_SECURE or None,
                        httponly=settings.SESSION_COOKIE_HTTPONLY or None,
                        samesite=settings.SESSION_COOKIE_SAMESITE,
                    )

As my DB is offline, this results in a 400 error, as the session can't be saved.
I rewrote this small piece in a custom middleware that inherits the SessionMiddleware, but this is not a futureproof solution:

**if response.status_code not in [500, 503]:**
                    try:
                        request.session.save()
                    except UpdateError:
                        raise SessionInterrupted(
                            "The request's session was deleted before the "
                            "request completed. The user may have logged "
                            "out in a concurrent request, for example."
                        )
                    response.set_cookie(
                        settings.SESSION_COOKIE_NAME,
                        request.session.session_key, max_age=max_age,
                        expires=expires, domain=settings.SESSION_COOKIE_DOMAIN,
                        path=settings.SESSION_COOKIE_PATH,
                        secure=settings.SESSION_COOKIE_SECURE or None,
                        httponly=settings.SESSION_COOKIE_HTTPONLY or None,
                        samesite=settings.SESSION_COOKIE_SAMESITE,
                    )


It's a small change, but it will make it hard for us to keep track of all the Django updates.

Do you have a generic solution for this issue?

Thanks in advance.

Change History (0)

Note: See TracTickets for help on using tickets.
Back to Top