#15855: cache_page decorator bypasses any Vary headers set in middleware
-------------------------------------+-------------------------------------
Reporter: carljm | Owner: nobody
Type: Bug | Status: new
Milestone: | Component: Core (Cache system)
Version: | Severity: Normal
Resolution: | Keywords:
Triage Stage: Design | Has patch: 1
decision needed | Needs tests: 0
Needs documentation: 0 | Easy pickings: 0
Patch needs improvement: 0 |
UI/UX: 0 |
-------------------------------------+-------------------------------------
Comment (by russellm):
The reason why @vary_on_cookie and @cache_page doesn't work with CSRF
pages is exactly what this ticket describes. The new-style CSRF page puts
a CSRF token in the HTML. The page needs to be marked @vary_on_cookie
because the CSRF token, and thus the cached page content, varies on a per-
user basis. However, the @cache_page decorator caches the page before the
CSRF middleware has a chance to set the CSRF cookie. As a result,
@vary_on_cookie doesn't actually cause anything to vary -- there isn't a
cookie to vary on at the time the @cache_page decorator determines the
content to be cached.
This wasn't an issue with the old-style CSRF code because the page content
was modified by the CSRF middleware. The current docs were accurate for
the old CSRF approach, but not for the new, explicitly inserted {%
csrf_token %}.
--
Ticket URL: <https://code.djangoproject.com/ticket/15855#comment:7>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
