[Django] #34571: Request with invalid session after concurrent logout or session timeout is considered a BadRequest
Django
considered a BadRequest
-------------------------------------+-------------------------------------
Reporter: Daniel | Owner: nobody
Nunes |
Type: | Status: new
Uncategorized |
Component: | Version: 3.2
contrib.sessions | Keywords: session, session
Severity: Normal | bad request
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
When working with multiple tabs, if a user logs out or his session times
out, any concurrent request happening in another tab will be considered a
bad request. See the {{{SessionInterrupted}}}
[https://github.com/django/django/blob/e1bbbbe6acb69e755554088bc573cc1835673209/django/contrib/sessions/middleware.py#L63-L67/
exception raised].
I see that
[https://github.com/django/django/pull/13395#pullrequestreview-484706827/
@carltongibson was slightly worried about the status code] and I feel the
same. This for me should be handled as **forbidden** because the request
is actually well-formed, but it's not allowed anymore.
What do you think?
--
Ticket URL: <https://code.djangoproject.com/ticket/34571>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
considered a BadRequest
-------------------------------------+-------------------------------------
Type: Uncategorized | Status: new
Component: contrib.sessions | Version: 3.2
Severity: Normal | Resolution:
Keywords: session, session | Triage Stage:
bad request | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Old description:
> When working with multiple tabs, if a user logs out or his session times
> out, any concurrent request happening in another tab will be considered a
> bad request. See the {{{SessionInterrupted}}}
> [https://github.com/django/django/blob/e1bbbbe6acb69e755554088bc573cc1835673209/django/contrib/sessions/middleware.py#L63-L67/
> exception raised].
>
> I see that
> [https://github.com/django/django/pull/13395#pullrequestreview-484706827/
> @carltongibson was slightly worried about the status code] and I feel the
> same. This for me should be handled as **forbidden** because the request
> is actually well-formed, but it's not allowed anymore.
>
> What do you think?
New description:
When working with multiple tabs, if a user logs out or his session times
out, any concurrent request happening in another tab will be considered a
bad request. See the {{{SessionInterrupted}}}
[https://github.com/django/django/blob/e1bbbbe6acb69e755554088bc573cc1835673209/django/contrib/sessions/middleware.py#L63-L67/
exception raised].
I see that
[https://github.com/django/django/pull/13395#pullrequestreview-484706827/
@carltongibson was slightly worried about the status code] and I feel the
same. This for me should be handled as **forbidden**
({{{SessionInterrupted}}} being a subclass of {{{PermissionDenied}}})
because the request is actually well-formed, but it's not allowed anymore.
What do you think?
--
--
Ticket URL: <https://code.djangoproject.com/ticket/34571#comment:1>
Django
considered a BadRequest
-------------------------------------+-------------------------------------
Reporter: Daniel Nunes | Owner: nobody
Type: Uncategorized | Status: new
Component: contrib.sessions | Version: 3.2
Severity: Normal | Resolution:
Keywords: session, session | Triage Stage:
bad request | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Description changed by Daniel Nunes:
Old description:
> When working with multiple tabs, if a user logs out or his session times
> out, any concurrent request happening in another tab will be considered a
> bad request. See the {{{SessionInterrupted}}}
> [https://github.com/django/django/blob/e1bbbbe6acb69e755554088bc573cc1835673209/django/contrib/sessions/middleware.py#L63-L67/
> exception raised].
>
> I see that
> [https://github.com/django/django/pull/13395#pullrequestreview-484706827/
> @carltongibson was slightly worried about the status code] and I feel the
> same. This for me should be handled as **forbidden**
> ({{{SessionInterrupted}}} being a subclass of {{{PermissionDenied}}})
> because the request is actually well-formed, but it's not allowed
> anymore.
>
> What do you think?
New description:
When working with multiple tabs, if a user logs out or his session times
out, any concurrent request happening in another tab will be considered a
bad request. See the {{{SessionInterrupted}}}
[https://github.com/django/django/blob/e1bbbbe6acb69e755554088bc573cc1835673209/django/contrib/sessions/middleware.py#L63-L67/
exception raised].
@carltongibson was slightly worried about the status code] and I feel the
same. This for me should be handled as **forbidden**
({{{SessionInterrupted}}} being a subclass of {{{PermissionDenied}}})
because the request is actually well-formed, but it's not allowed anymore.
What do you think?
--
--
Ticket URL: <https://code.djangoproject.com/ticket/34571#comment:2>
Django
considered a BadRequest
-------------------------------------+-------------------------------------
Reporter: Daniel Nunes | Owner: nobody
Component: contrib.sessions | Version: 3.2
Severity: Normal | Resolution: wontfix
Keywords: session, session | Triage Stage:
bad request | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: new => closed
* resolution: => wontfix
Comment:
Hello! Thank you for your report. Considering that this was explicitly
discussed in the PR you linked, and that Carlton and the rest of the
reviewers were in agreement at the time to treat this as a 400
`BadRequest`, I believe that the best course of action at this point is to
submit a new topic in the [https://forum.djangoproject.com/c/internals/5
Django Forum], explaining your rationale and response status code change
request. I'll close the ticket for now, but if there is agreement/positive
feedback, please add a new comment here referencing the discussion and
we'll be happy to re-open. Thanks!
--
Ticket URL: <https://code.djangoproject.com/ticket/34571#comment:3>
Django
considered a BadRequest
-------------------------------------+-------------------------------------
Reporter: Daniel Nunes | Owner: nobody
Component: contrib.sessions | Version: 3.2
Severity: Normal | Resolution:
bad request | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: closed => new
* resolution: wontfix =>
Comment:
After discussing the ticket [https://forum.djangoproject.com/t/request-
with-invalid-session-after-concurrent-logout-or-session-timeout-is-
considered-a-badrequest/20980 here] with Carlton, I will re-open the
ticket. I'll also assign it to myself.
Thank you!
--
Ticket URL: <https://code.djangoproject.com/ticket/34571#comment:4>
Django
considered a BadRequest
-------------------------------------+-------------------------------------
| Nunes
Type: Uncategorized | Status: assigned
Component: contrib.sessions | Version: 3.2
Severity: Normal | Resolution:
Keywords: session, session | Triage Stage:
bad request | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Daniel Nunes):
* owner: nobody => Daniel Nunes
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/34571#comment:5>
Django
considered a BadRequest
-------------------------------------+-------------------------------------
Reporter: Daniel Nunes | Owner: Daniel
Cleanup/optimization | Status: assigned
Component: contrib.sessions | Version: 3.2
Severity: Normal | Resolution:
Keywords: session, session | Triage Stage:
bad request | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Daniel Nunes):
* type: Uncategorized => Cleanup/optimization
--
Ticket URL: <https://code.djangoproject.com/ticket/34571#comment:6>
Django
considered a BadRequest
-------------------------------------+-------------------------------------
Reporter: Daniel Nunes | Owner: Daniel
Type: | Nunes
Component: contrib.sessions | Version: 3.2
Severity: Normal | Resolution: wontfix
Keywords: session, session | Triage Stage:
bad request | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* cc: Carlton Gibson (added)
* status: assigned => closed
* resolution: => wontfix
Comment:
I appreciate you'd like to reopen the ticket, but less than 1 day of
discussion and 1 vote is not enough to reopen a ticket. Let's wait few
more days.
Also, take into account that `PermissionDenied` subclasses are
[https://github.com/django/django/blob/93830abf7694e0f281931f10eeaa34993855e7dd/django/core/handlers/exception.py#L72-L82
treated] differently than `BadRequest`
[https://github.com/django/django/blob/93830abf7694e0f281931f10eeaa34993855e7dd/django/core/handlers/exception.py#L96-L112
subclasses].
--
Ticket URL: <https://code.djangoproject.com/ticket/34571#comment:7>