Opened 10 years ago

Last modified 10 years ago

#23939 closed Bug

SessionAuthenticationMiddleware causes "Vary: Cookie" header no matter what — at Version 2

Reported by: Andrew Badr Owned by: nobody
Component: contrib.auth Version: 1.7
Severity: Release blocker Keywords: cookies
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Andrew Badr)

Setting a "Vary: Cookie" header when unnecessary is bad for reasons described in e.g. #3586, #6552. It seems that the recently-introduced and on-by-default SessionAuthenticationMiddleware causes this header to always be set. This seems to be caused by the hasattr(user, 'get_session_auth_hash') call at https://github.com/django/django/blob/1.7.1/django/contrib/auth/middleware.py#L34.

To reproduce: start a new empty project with django-admin.py, request the index page, and see that the Vary: Cookie header is present. Commenting-out the middleware's line in settings.py causes the header to disappear.

It might be good to add a general test case verifying that the default page never sets a Vary: Cookie header.

Change History (2)

comment:1 by Andrew Badr, 10 years ago

Description: modified (diff)

comment:2 by Andrew Badr, 10 years ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.
Back to Top