[Django] #29450: Redirect using HTTP status "303 See Other" for django.http.response HttpResponseRedirect

6 views
Skip to first unread message

Django

unread,
May 26, 2018, 12:08:38 PM5/26/18
to django-...@googlegroups.com
#29450: Redirect using HTTP status "303 See Other" for django.http.response
HttpResponseRedirect
-------------------------------------+-------------------------------------
Reporter: Duane | Owner: nobody
Hutchins |
Type: | Status: new
Cleanup/optimization |
Component: HTTP | Version: master
handling | Keywords: http redirect 302
Severity: Normal | 303
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 1
UI/UX: 0 |
-------------------------------------+-------------------------------------
Regarding:
[https://docs.djangoproject.com/en/2.0/_modules/django/http/response/#HttpResponseRedirect
django.http.response HttpResponseRedirect]

Current redirects use http status 302, which is fine most of the time, but
it can cause issues if browser caching is permitted.

For example:

* Cache-Control allows caching globally
* User is logged in
* User logs out (GET response = 302 redirect)
* This response is cached by the browser
* User logs back in
* User attempts to log out again
* Browse serves cached response from disk and redirects without request
revalidation
* Result: User is not actually logged out

Caching breaks the response, which is why HTTP Status 303 redirects do not
allow caching. They are more appropriate than 302 redirects.
https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3.3

Note that 303 redirects are not HTTP/1.0 compatible. A quick check shows
that every modern browser now supports http/1.1 or higher. Still, 302
redirect responses can still be served for http/1.0 requests, if that's a
concern.

Two other tickets (#13277 and #6227) requested this fix 8+ years ago, and
they were closed because http/1.0 was still in common use at the time.

Now that http/1.0 is no longer in common use, can we change this redirect
to 303?

--
Ticket URL: <https://code.djangoproject.com/ticket/29450>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
May 26, 2018, 3:23:39 PM5/26/18
to django-...@googlegroups.com
#29450: Redirect using HTTP status "303 See Other" for django.http.response
HttpResponseRedirect
-------------------------------------+-------------------------------------
Reporter: Duane Hutchins | Owner: nobody
Type: | Status: closed
Cleanup/optimization |
Component: HTTP handling | Version: master
Severity: Normal | Resolution: duplicate
Keywords: http redirect 302 | Triage Stage:
303 | Unreviewed
Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Tim Graham):

* status: new => closed
* resolution: => duplicate


Comment:

The correct way to discuss a wontfix ticket is to start a discussion on
the DevelopersMailingList. If there's consensus there to make the change,
then we'll reopen one of the original tickets.

--
Ticket URL: <https://code.djangoproject.com/ticket/29450#comment:1>

Reply all
Reply to author
Forward
0 new messages