#11506: session.flush should not delete the old session -------------------------------------+-------------------------------------- Reporter: Glenn | Owner: nobody Status: new | Milestone: Component: django.contrib.sessions | Version: SVN Keywords: | Stage: Unreviewed Has_patch: 1 | -------------------------------------+-------------------------------------- Flushing and cycling the session should empty the data in the session and create a new key, but should not delete the old key.
Scenario: 1: JS kicks off a periodic AJAX request to update something, which is delayed in transit. 2: User submits an AJAX login form, which calls auth.login, calling session.flush or session.cycle_key. The AJAX response sets a new session cookie for the user. 3: The async request from #1 makes it to the server. This still has the old cookie, since it started before #2 finished. contrib.session doesn't recognize the cookie, since the previous request deleted it. It thinks it's an expired or corrupt session cookie, and flushes the session again. #2 logs the user in, then #3 logs the user back out. (I've seen this happen even without AJAX logins, when using django.views.static.serve in development.) session.flush should leave the old session in the database, and just clear its data. That way, when #3 comes around, it won't be an unrecognized session, and it won't trigger a session flush. Let the old session row expire on its own, like any idle session. This doesn't change the definition of the function: "Removes the current session data from the database and regenerates the key." This patch also fixes and tests session.cycle_key() raising an error if no session already existed; accessing self._session_cache raises AttributeError. This was triggering while I was writing the main test. -- Ticket URL: <http://code.djangoproject.com/ticket/11506> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@googlegroups.com To unsubscribe from this group, send email to django-updates+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-updates?hl=en -~----------~----~----~----~------~----~------~--~---
