#34571 closed Cleanup/optimization (wontfix)

Request with invalid session after concurrent logout or session timeout is considered a BadRequest

Reported by: Daniel Nunes Owned by: Daniel Nunes
Component: contrib.sessions Version: 3.2
Severity: Normal Keywords: session, session bad request
Cc: Carlton Gibson Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Daniel Nunes)

When working with multiple tabs, if a user logs out or his session times out, any concurrent request happening in another tab will be considered a bad request. See the SessionInterrupted exception raised.

I see that @carltongibson was slightly worried about the status code and I feel the same. This for me should be handled as forbidden (SessionInterrupted being a subclass of PermissionDenied) because the request is actually well-formed, but it's not allowed anymore.

What do you think?

Change History (7)

comment:1 by Daniel Nunes, 18 months ago

Description: modified (diff)

comment:2 by Daniel Nunes, 18 months ago

Description: modified (diff)

comment:3 by Natalia Bidart, 18 months ago

Resolution: wontfix
Status: newclosed

Hello! Thank you for your report. Considering that this was explicitly discussed in the PR you linked, and that Carlton and the rest of the reviewers were in agreement at the time to treat this as a 400 BadRequest, I believe that the best course of action at this point is to submit a new topic in the Django Forum, explaining your rationale and response status code change request. I'll close the ticket for now, but if there is agreement/positive feedback, please add a new comment here referencing the discussion and we'll be happy to re-open. Thanks!

comment:4 by Daniel Nunes, 18 months ago

Resolution: wontfix
Status: closednew

After discussing the ticket here with Carlton, I will re-open the ticket. I'll also assign it to myself.

Thank you!

comment:5 by Daniel Nunes, 18 months ago

Owner: changed from nobody to Daniel Nunes
Status: newassigned

comment:6 by Daniel Nunes, 18 months ago

Type: UncategorizedCleanup/optimization

comment:7 by Mariusz Felisiak, 18 months ago

Cc: Carlton Gibson added
Resolution: wontfix
Status: assignedclosed

I appreciate you'd like to reopen the ticket, but less than 1 day of discussion and 1 vote is not enough to reopen a ticket. Let's wait few more days.

Also, take into account that PermissionDenied subclasses are treated differently than BadRequest subclasses.

Note: See TracTickets for help on using tickets.
Back to Top