Opened 7 years ago
Closed 7 years ago
#29450 closed Cleanup/optimization (duplicate)
Redirect using HTTP status "303 See Other" for django.http.response HttpResponseRedirect
Reported by: | Duane Hutchins | Owned by: | nobody |
---|---|---|---|
Component: | HTTP handling | Version: | dev |
Severity: | Normal | Keywords: | http redirect 302 303 |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | yes | UI/UX: | no |
Description
Regarding: django.http.response HttpResponseRedirect
Current redirects use http status 302, which is fine most of the time, but it can cause issues if browser caching is permitted.
For example:
- Cache-Control allows caching globally
- User is logged in
- User logs out (GET response = 302 redirect)
- This response is cached by the browser
- User logs back in
- User attempts to log out again
- Browse serves cached response from disk and redirects without request revalidation
- Result: User is not actually logged out
Caching breaks the response, which is why HTTP Status 303 redirects do not allow caching. They are more appropriate than 302 redirects.
https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3.3
Note that 303 redirects are not HTTP/1.0 compatible. A quick check shows that every modern browser now supports http/1.1 or higher. Still, 302 redirect responses can still be served for http/1.0 requests, if that's a concern.
Two other tickets (#13277 and #6227) requested this fix 8+ years ago, and they were closed because http/1.0 was still in common use at the time.
Now that http/1.0 is no longer in common use, can we change this redirect to 303?
The correct way to discuss a wontfix ticket is to start a discussion on the DevelopersMailingList. If there's consensus there to make the change, then we'll reopen one of the original tickets.