Opened 10 years ago

Closed 7 years ago

#9490 closed (fixed)

Empty session is stored if clean session is accessed

Reported by: Grzegorz Lukasik Owned by: nobody
Component: contrib.sessions Version: 1.0
Severity: Keywords: unused session modified
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


If user opens a page for first time (without a session), and code accesses request.session, then a new session is created and this session has 'modified' flag set to True. So when no data is saved, an empty session is stored in the database and cookie is sent back to the user.

For example if in your code you will call only request.user.is_authenticated(), it triggers user check in the session, the session is created and a new empty session is created in the database.

It is not a bug, but creates unused session objects.

Change History (2)

comment:1 Changed 9 years ago by Jacob

Triage Stage: UnreviewedAccepted

comment:2 Changed 7 years ago by Aymeric Augustin

Resolution: fixed
Status: newclosed

This is fixed in trunk.

The behavior expected by the OP is enforced in django.sessions.middleware. The SESSION_SAVE_EVERY_REQUEST setting allows to always save the session (the old behavior). I could not find tests for the new behavior, but that is another problem.

To confirm that the use case of the OP is indeed fixed, I created a Django project with all the defaults, which means the sessions are stored in the database table django_session and I added this view:

from django.http import HttpResponse
def test(request):
    return HttpResponse('auth: %r' % request.user.is_authenticated()

Accessing the view does not create a session in the database.

Note: See TracTickets for help on using tickets.
Back to Top