Opened 10 years ago
Last modified 10 years ago
#23939 closed Bug
SessionAuthenticationMiddleware causes "Vary: Cookie" header no matter what — at Initial Version
| Reported by: | Andrew Badr | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | 1.7 |
| Severity: | Release blocker | Keywords: | cookies |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Setting a "Vary: Cookie" header when unnecessary is bad for reasons described in e.g. #3586, #6552. It seems that the recently-introduced and on-by-default SessionAuthenticationMiddleware causes this header to always be set. This seems to be caused by the hasattr(user, 'get_session_auth_hash') check here: https://github.com/django/django/blob/1.7.1/django/contrib/auth/middleware.py#L34.
To reproduce: start a new empty project with django-admin.py, request the index page, and see that the Vary: Cookie header is present. Commenting-out the middleware's line in settings.py causes the header to no longer be sent.
It might be good to add a test verifying that the above steps never set a Vary: Cookie header.