Opened 15 years ago
Closed 13 years ago
#9490 closed (fixed)
Empty session is stored if clean session is accessed
| Reported by: | Grzegorz Lukasik | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.sessions | Version: | 1.0 |
| Severity: | Keywords: | unused session modified | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
If user opens a page for first time (without a session), and code accesses request.session, then a new session is created and this session has 'modified' flag set to True. So when no data is saved, an empty session is stored in the database and cookie is sent back to the user.
For example if in your code you will call only request.user.is_authenticated(), it triggers user check in the session, the session is created and a new empty session is created in the database.
It is not a bug, but creates unused session objects.
Change History (2)
comment:1 by , 15 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:2 by , 13 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
This is fixed in trunk.
The behavior expected by the OP is enforced in
django.sessions.middleware. TheSESSION_SAVE_EVERY_REQUESTsetting allows to always save the session (the old behavior). I could not find tests for the new behavior, but that is another problem.To confirm that the use case of the OP is indeed fixed, I created a Django project with all the defaults, which means the sessions are stored in the database table
django_sessionand I added this view:from django.http import HttpResponse def test(request): return HttpResponse('auth: %r' % request.user.is_authenticated()Accessing the view does not create a session in the database.