[Django] #29728: CSRF_USE_SESSIONS leads to session save on every request using csrf
Django
------------------------------------------------+------------------------
Reporter: Michal Čihař | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: CSRF | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------------+------------------------
The way CSRF saving in the session is currently implemented leads to
updating session with every request which uses csrf tokens. Having many
CSRF protected forms on the site leads to session update with almost every
request. IMHO this is not really needed and it should update the session
only if needed.
--
Ticket URL: <https://code.djangoproject.com/ticket/29728>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Michal Čihař | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: CSRF | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 1 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Claude Paroz):
* has_patch: 0 => 1
* needs_tests: 0 => 1
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/29728#comment:1>
Django
Reporter: Michal Čihař | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: CSRF | Version: master
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Michal Čihař):
* needs_tests: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/29728#comment:2>
Django
Reporter: Michal Čihař | Owner: nobody
Cleanup/optimization |
Component: CSRF | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Simon Charette):
* stage: Accepted => Ready for checkin
Comment:
Patch should be RFC once the minor changes are addressed. Maybe it's
something worth mentioning in the release notes?
--
Ticket URL: <https://code.djangoproject.com/ticket/29728#comment:3>
Django
Reporter: Michal Čihař | Owner: nobody
Cleanup/optimization |
Component: CSRF | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"22e8ab02863819093832de9f771bf40a62a6bd4a" 22e8ab02]:
{{{
#!CommitTicketReference repository=""
revision="22e8ab02863819093832de9f771bf40a62a6bd4a"
Fixed #29728 -- Prevented session resaving if CSRF cookie is unchanged.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/29728#comment:4>