Opened 20 months ago
Closed 19 months ago
#34571 closed Cleanup/optimization (wontfix)
Request with invalid session after concurrent logout or session timeout is considered a BadRequest
Reported by: | Daniel Nunes | Owned by: | Daniel Nunes |
---|---|---|---|
Component: | contrib.sessions | Version: | 3.2 |
Severity: | Normal | Keywords: | session, session bad request |
Cc: | Carlton Gibson | Triage Stage: | Unreviewed |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
When working with multiple tabs, if a user logs out or his session times out, any concurrent request happening in another tab will be considered a bad request. See the SessionInterrupted
exception raised.
I see that @carltongibson was slightly worried about the status code and I feel the same. This for me should be handled as forbidden (SessionInterrupted
being a subclass of PermissionDenied
) because the request is actually well-formed, but it's not allowed anymore.
What do you think?
Change History (7)
comment:1 by , 20 months ago
Description: | modified (diff) |
---|
comment:2 by , 20 months ago
Description: | modified (diff) |
---|
comment:3 by , 20 months ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
comment:4 by , 20 months ago
Resolution: | wontfix |
---|---|
Status: | closed → new |
After discussing the ticket here with Carlton, I will re-open the ticket. I'll also assign it to myself.
Thank you!
comment:5 by , 20 months ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:6 by , 20 months ago
Type: | Uncategorized → Cleanup/optimization |
---|
comment:7 by , 19 months ago
Cc: | added |
---|---|
Resolution: | → wontfix |
Status: | assigned → closed |
I appreciate you'd like to reopen the ticket, but less than 1 day of discussion and 1 vote is not enough to reopen a ticket. Let's wait few more days.
Also, take into account that PermissionDenied
subclasses are treated differently than BadRequest
subclasses.
Hello! Thank you for your report. Considering that this was explicitly discussed in the PR you linked, and that Carlton and the rest of the reviewers were in agreement at the time to treat this as a 400
BadRequest
, I believe that the best course of action at this point is to submit a new topic in the Django Forum, explaining your rationale and response status code change request. I'll close the ticket for now, but if there is agreement/positive feedback, please add a new comment here referencing the discussion and we'll be happy to re-open. Thanks!