Opened 16 years ago

Closed 14 years ago

#9490 closed (fixed)

Empty session is stored if clean session is accessed

Reported by: Grzegorz Lukasik Owned by: nobody
Component: contrib.sessions Version: 1.0
Severity: Keywords: unused session modified
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

If user opens a page for first time (without a session), and code accesses request.session, then a new session is created and this session has 'modified' flag set to True. So when no data is saved, an empty session is stored in the database and cookie is sent back to the user.

For example if in your code you will call only request.user.is_authenticated(), it triggers user check in the session, the session is created and a new empty session is created in the database.

It is not a bug, but creates unused session objects.

Change History (2)

comment:1 by Jacob, 16 years ago

Triage Stage: UnreviewedAccepted

comment:2 by Aymeric Augustin, 14 years ago

Resolution: fixed
Status: newclosed

This is fixed in trunk.

The behavior expected by the OP is enforced in django.sessions.middleware. The SESSION_SAVE_EVERY_REQUEST setting allows to always save the session (the old behavior). I could not find tests for the new behavior, but that is another problem.

To confirm that the use case of the OP is indeed fixed, I created a Django project with all the defaults, which means the sessions are stored in the database table django_session and I added this view:

from django.http import HttpResponse
def test(request):
    return HttpResponse('auth: %r' % request.user.is_authenticated()

Accessing the view does not create a session in the database.

Note: See TracTickets for help on using tickets.
Back to Top