| 24 | | If request.session was modified, or if the configuration is to save the |
| 25 | | session every time, save the changes and set a session cookie or delete |
| 26 | | the session cookie if the session has been emptied. |
| | 24 | If the request contains the session cookie but the session is empty we |
| | 25 | should remove the cookie. If the session is modified or set to always |
| | 26 | save we should prepare the cookie headers, check that we are not |
| | 27 | returning a 500 response, save the session, and set the cookie. Last if |
| | 28 | the session is not empty but we did not need to set the cookie because |
| | 29 | it was not modified or our settings do not require us to always save we |
| | 30 | can assume it was previously set and just apply the vary cookie header. |
| 43 | | else: |
| 44 | | if accessed: |
| 45 | | patch_vary_headers(response, ('Cookie',)) |
| 46 | | if (modified or settings.SESSION_SAVE_EVERY_REQUEST) and not empty: |
| 47 | | if request.session.get_expire_at_browser_close(): |
| 48 | | max_age = None |
| 49 | | expires = None |
| 50 | | else: |
| 51 | | max_age = request.session.get_expiry_age() |
| 52 | | expires_time = time.time() + max_age |
| 53 | | expires = http_date(expires_time) |
| 54 | | # Save the session data and refresh the client cookie. |
| 55 | | # Skip session save for 500 responses, refs #3881. |
| 56 | | if response.status_code != 500: |
| 57 | | try: |
| 58 | | request.session.save() |
| 59 | | except UpdateError: |
| 60 | | raise SuspiciousOperation( |
| 61 | | "The request's session was deleted before the " |
| 62 | | "request completed. The user may have logged " |
| 63 | | "out in a concurrent request, for example." |
| 64 | | ) |
| 65 | | response.set_cookie( |
| 66 | | settings.SESSION_COOKIE_NAME, |
| 67 | | request.session.session_key, max_age=max_age, |
| 68 | | expires=expires, domain=settings.SESSION_COOKIE_DOMAIN, |
| 69 | | path=settings.SESSION_COOKIE_PATH, |
| 70 | | secure=settings.SESSION_COOKIE_SECURE or None, |
| 71 | | httponly=settings.SESSION_COOKIE_HTTPONLY or None, |
| 72 | | samesite=settings.SESSION_COOKIE_SAMESITE, |
| | 49 | patch_vary_headers(response, ('Cookie',)) |
| | 50 | elif ( |
| | 51 | (modified or settings.SESSION_SAVE_EVERY_REQUEST) and |
| | 52 | not empty |
| | 53 | ): |
| | 54 | if request.session.get_expire_at_browser_close(): |
| | 55 | max_age = None |
| | 56 | expires = None |
| | 57 | else: |
| | 58 | max_age = request.session.get_expiry_age() |
| | 59 | expires_time = time.time() + max_age |
| | 60 | expires = http_date(expires_time) |
| | 61 | # Save the session data and refresh the client cookie. |
| | 62 | # Skip session save for 500 responses, refs #3881. |
| | 63 | if response.status_code != 500: |
| | 64 | try: |
| | 65 | request.session.save() |
| | 66 | except UpdateError: |
| | 67 | raise SuspiciousOperation( |
| | 68 | "The request's session was deleted before the " |
| | 69 | "request completed. The user may have logged " |
| | 70 | "out in a concurrent request, for example." |
| | 72 | response.set_cookie( |
| | 73 | settings.SESSION_COOKIE_NAME, |
| | 74 | request.session.session_key, max_age=max_age, |
| | 75 | expires=expires, domain=settings.SESSION_COOKIE_DOMAIN, |
| | 76 | path=settings.SESSION_COOKIE_PATH, |
| | 77 | secure=settings.SESSION_COOKIE_SECURE or None, |
| | 78 | httponly=settings.SESSION_COOKIE_HTTPONLY or None, |
| | 79 | samesite=settings.SESSION_COOKIE_SAMESITE, |
| | 80 | ) |
| | 81 | patch_vary_headers(response, ('Cookie',)) |
| | 82 | elif not empty: |
| | 83 | patch_vary_headers(response, ('Cookie',)) |