#34571: Request with invalid session after concurrent logout or session timeout
is
considered a BadRequest
-------------------------------------+-------------------------------------
Reporter: Daniel | Owner: nobody
Nunes |
Type: | Status: new
Uncategorized |
Component: | Version: 3.2
contrib.sessions | Keywords: session, session
Severity: Normal | bad request
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
When working with multiple tabs, if a user logs out or his session times
out, any concurrent request happening in another tab will be considered a
bad request. See the {{{SessionInterrupted}}}
[https://github.com/django/django/blob/e1bbbbe6acb69e755554088bc573cc1835673209/django/contrib/sessions/middleware.py#L63-L67/
exception raised].
I see that
[https://github.com/django/django/pull/13395#pullrequestreview-484706827/
@carltongibson was slightly worried about the status code] and I feel the
same. This for me should be handled as **forbidden** because the request
is actually well-formed, but it's not allowed anymore.
What do you think?
--
Ticket URL: <https://code.djangoproject.com/ticket/34571>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018825540be8-bf9e154e-16c8-4b1b-8f22-5b7ba53df5bd-000000%40eu-central-1.amazonses.com.
