Django 1.4 bug: Using cache_page and csrf_protect decorators results in a messy Set-Cookie response header.
470 views
Skip to first unread message
Suteepat Damrongyingsupab
May 12, 2012, 4:13:48 PM5/12/12
to django-d...@googlegroups.com
I'm using Django 1.4.
According to the Django csrf docs, I decorate my class-based view in the urls.py as follows:
cache_page(1800)(csrf_protect(MyView.as_view()))
I kept reloading MyView page url and Set-Cookie header would be recursive like this:
Set-Cookie: csrftoken="Set-Cookie: csrftoken=\"Set-Cookie: csrftoken=XeRCBpXuNpuRie17OqWrDIM3xKt9hV3Q\\073 expires=Sat\\054 11-May-2013 19:50:21 GMT\\073 Max-Age=31449600\\073 Path=/\""
I don't know what's a trigger to this behavior.
Has anyone found a problem like this? Please help.
Thanks.
Paul McMillan
May 13, 2012, 1:14:21 PM5/13/12
to django-d...@googlegroups.com
That looks a lot like 15863.
https://code.djangoproject.com/ticket/15863
Which cache backend are you using? Which session backend? Are you
absolutely positive you are using Django 1.4, and not a
system-installed version of 1.3? Does your code pickle or unpickle
sessions or cookies anywhere outside of the caching framework?
I thought we fixed that bug, but if you can provide minimal steps to
reproduce it in Django 1.4, we'll have to reopen the ticket.
-Paul
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/django-developers/-/Q5Ywwf3O0sIJ.
> To post to this group, send email to django-d...@googlegroups.com.
> To unsubscribe from this group, send email to
> django-develop...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-developers?hl=en.
https://code.djangoproject.com/ticket/15863
Which cache backend are you using? Which session backend? Are you
absolutely positive you are using Django 1.4, and not a
system-installed version of 1.3? Does your code pickle or unpickle
sessions or cookies anywhere outside of the caching framework?
I thought we fixed that bug, but if you can provide minimal steps to
reproduce it in Django 1.4, we'll have to reopen the ticket.
-Paul
> You received this message because you are subscribed to the Google Groups
> "Django developers" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/django-developers/-/Q5Ywwf3O0sIJ.
> To post to this group, send email to django-d...@googlegroups.com.
> To unsubscribe from this group, send email to
> django-develop...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-developers?hl=en.
Suteepat Damrongyingsupab
May 14, 2012, 5:24:24 AM5/14/12
to django-d...@googlegroups.com
I've just found the root cause of the problem.
The bug occurs when using ListView (I haven't tested other CBV though) and decorating it with cache_page and csrf_protect.
I've tested it with a new clean project and left settings.py as a default.
The simple code I used to test is as follows:
urls.py (excerpt):
url(r'safe/$', cache_page(1800)(csrf_protect(SafeView.as_view()))),
url(r'bug/$', cache_page(1800)(csrf_protect(BugView.as_view()))),
views.py:
from django.template import RequestContext
from django.views.generic import View, ListView
class SafeView(View):
template_name = 'basic/index.html'
def get(self, request):
return render_to_response('basic/index.html', {'msg': 'Hello, world'}, context_instance=RequestContext(request))
class BugView(ListView):
template_name = 'basic/index.html'
queryset = []
template (basic/index.html):
Today message: {{ msg }}<br>{% csrf_token %}
I kept reloading the SafeView page (20+ times) and the bug didn't occur.
You should try reloading the BugView page and the bug will occur within 10 reloading times.
The bug occurs when using ListView (I haven't tested other CBV though) and decorating it with cache_page and csrf_protect.
I've tested it with a new clean project and left settings.py as a default.
The simple code I used to test is as follows:
urls.py (excerpt):
url(r'safe/$', cache_page(1800)(csrf_protect(SafeView.as_view()))),
url(r'bug/$', cache_page(1800)(csrf_protect(BugView.as_view()))),
views.py:
from django.template import RequestContext
from django.views.generic import View, ListView
class SafeView(View):
template_name = 'basic/index.html'
def get(self, request):
return render_to_response('basic/index.html', {'msg': 'Hello, world'}, context_instance=RequestContext(request))
class BugView(ListView):
template_name = 'basic/index.html'
queryset = []
template (basic/index.html):
Today message: {{ msg }}<br>{% csrf_token %}
I kept reloading the SafeView page (20+ times) and the bug didn't occur.
You should try reloading the BugView page and the bug will occur within 10 reloading times.
> To post to this group, send email to django-developers@googlegroups.com.
> To unsubscribe from this group, send email to
> django-developers+unsubscribe@googlegroups.com.
Rafał Stożek
May 14, 2012, 8:25:53 AM5/14/12
to django-d...@googlegroups.com
Could you try again to cause bug with SafeView class, but this time using TemplateResponse class instead of render_to_response shortcut?
To view this discussion on the web visit https://groups.google.com/d/msg/django-developers/-/9YkZgDFQTfYJ.
To post to this group, send email to django-d...@googlegroups.com.
To unsubscribe from this group, send email to django-develop...@googlegroups.com.
Rafał Stożek
May 14, 2012, 8:28:50 AM5/14/12
to django-d...@googlegroups.com
Oh, I see where the bug is. SimpleTemplateResponse.__getstate__ does not call super(). And HttpResponse class serializes cookies in its __getstate__ method. So basically SimpleTemplateResponse doesn't serialize cookies correctly.
Suteepat Damrongyingsupab
May 14, 2012, 11:39:37 AM5/14/12
to django-d...@googlegroups.com
Hi all,
Thanks for your help to investigate the issue. I didn't have a chance to look further into it.
So every class-based views that subclass from TemplateResponseMixin are affected by this bug because it uses TemplateResponse as its response_class.
Thanks for your help to investigate the issue. I didn't have a chance to look further into it.
So every class-based views that subclass from TemplateResponseMixin are affected by this bug because it uses TemplateResponse as its response_class.
Rafał Stożek
May 15, 2012, 9:53:39 AM5/15/12
to django-d...@googlegroups.com
Should we reopen https://code.djangoproject.com/ticket/15863 then?
To view this discussion on the web visit https://groups.google.com/d/msg/django-developers/-/qRbbo0qIWv4J.
To post to this group, send email to django-d...@googlegroups.com.
To unsubscribe from this group, send email to django-develop...@googlegroups.com.
Paul McMillan
May 18, 2012, 1:37:51 AM5/18/12
to django-d...@googlegroups.com
No. please open a new bug detailing this issue.
-Paul
-Paul
>>>>>> > django-d...@googlegroups.com.
>>>>>> > To unsubscribe from this group, send email to
>>>>>> > django-develop...@googlegroups.com.
>>>>>> > For more options, visit this group at
>>>>>> > http://groups.google.com/group/django-developers?hl=en.
>>>>>
>>>>>> > To unsubscribe from this group, send email to
>>>>>> > django-develop...@googlegroups.com.
>>>>>> > For more options, visit this group at
>>>>>> > http://groups.google.com/group/django-developers?hl=en.
>>>>>
>>>>> --
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "Django developers" group.
>>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/d/msg/django-developers/-/9YkZgDFQTfYJ.
>>>>>
>>>>> To post to this group, send email to
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "Django developers" group.
>>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/d/msg/django-developers/-/9YkZgDFQTfYJ.
>>>>>
>>>>> To post to this group, send email to
>>>>> django-d...@googlegroups.com.
>>>>> To unsubscribe from this group, send email to
>>>>> django-develop...@googlegroups.com.
>>>>> For more options, visit this group at
>>>>> http://groups.google.com/group/django-developers?hl=en.
>>>>
>>>>
>>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django developers" group.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msg/django-developers/-/qRbbo0qIWv4J.
>>
>> To post to this group, send email to django-d...@googlegroups.com.
>> To unsubscribe from this group, send email to
>> django-develop...@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/django-developers?hl=en.
>
>
>>>>> To unsubscribe from this group, send email to
>>>>> django-develop...@googlegroups.com.
>>>>> For more options, visit this group at
>>>>> http://groups.google.com/group/django-developers?hl=en.
>>>>
>>>>
>>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django developers" group.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msg/django-developers/-/qRbbo0qIWv4J.
>>
>> To post to this group, send email to django-d...@googlegroups.com.
>> To unsubscribe from this group, send email to
>> django-develop...@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/django-developers?hl=en.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers" group.
> You received this message because you are subscribed to the Google Groups
> "Django developers" group.
Reply all
Reply to author
Forward
0 new messages