Fixed #29471 -- Added 'Vary: Cookie' to invalid/empty session cookie responses.

dc740dde · birthdaysgift · Tim Graham · d64808ca · dc740dde · dc740dde
Kaydet (Commit) dc740dde authored Mar 18, 2019 tarafından birthdaysgift Kaydeden (comit) Tim Graham Mar 21, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

AUTHORS AUTHORS +1 -0

middleware.py django/contrib/sessions/middleware.py +1 -0

tests.py tests/sessions_tests/tests.py +3 -0

No files found.
--- a/AUTHORS
+++ b/AUTHORS
@@ -45,6 +45,7 @@ answer newbie questions, and generally made Django that much better:
    Alex Ogier <alex.ogier@gmail.com>
    Alex Robbins <alexander.j.robbins@gmail.com>
    Alexey Boriskin <alex@boriskin.me>
+    Alexey Tsivunin <most-208@yandex.ru>
    Aljosa Mohorovic <aljosa.mohorovic@gmail.com>
    Amit Chakradeo <https://amit.chakradeo.net/>
    Amit Ramon <amit.ramon@gmail.com>

--- a/django/contrib/sessions/middleware.py
+++ b/django/contrib/sessions/middleware.py
@@ -40,6 +40,7 @@ class SessionMiddleware(MiddlewareMixin):
                    path=settings.SESSION_COOKIE_PATH,
                    domain=settings.SESSION_COOKIE_DOMAIN,
                )
+                patch_vary_headers(response, ('Cookie',))
            else:
                if accessed:
                    patch_vary_headers(response, ('Cookie',))

--- a/tests/sessions_tests/tests.py
+++ b/tests/sessions_tests/tests.py
@@ -748,6 +748,9 @@ class SessionMiddlewareTests(TestCase):
            ),
            str(response.cookies[settings.SESSION_COOKIE_NAME])
        )
+        # SessionMiddleware sets 'Vary: Cookie' to prevent the 'Set-Cookie'
+        # from being cached.
+        self.assertEqual(response['Vary'], 'Cookie')

    @override_settings(SESSION_COOKIE_DOMAIN='.example.local', SESSION_COOKIE_PATH='/example/')
    def test_session_delete_on_end_with_custom_domain_and_path(self):