From dc740dde50873e82f761386fd73ca17d9eaa008b Mon Sep 17 00:00:00 2001 From: birthdaysgift Date: Mon, 18 Mar 2019 18:15:06 +0300 Subject: [PATCH] Fixed #29471 -- Added 'Vary: Cookie' to invalid/empty session cookie responses. --- AUTHORS | 1 + django/contrib/sessions/middleware.py | 1 + tests/sessions_tests/tests.py | 3 +++ 3 files changed, 5 insertions(+) diff --git a/AUTHORS b/AUTHORS index 8e966b2cf8..6fed0a63cd 100644 --- a/AUTHORS +++ b/AUTHORS @@ -45,6 +45,7 @@ answer newbie questions, and generally made Django that much better: Alex Ogier Alex Robbins Alexey Boriskin + Alexey Tsivunin Aljosa Mohorovic Amit Chakradeo Amit Ramon diff --git a/django/contrib/sessions/middleware.py b/django/contrib/sessions/middleware.py index 6795354cc5..6e59390981 100644 --- a/django/contrib/sessions/middleware.py +++ b/django/contrib/sessions/middleware.py @@ -40,6 +40,7 @@ class SessionMiddleware(MiddlewareMixin): path=settings.SESSION_COOKIE_PATH, domain=settings.SESSION_COOKIE_DOMAIN, ) + patch_vary_headers(response, ('Cookie',)) else: if accessed: patch_vary_headers(response, ('Cookie',)) diff --git a/tests/sessions_tests/tests.py b/tests/sessions_tests/tests.py index 0e8cb79fd5..e9896dc18a 100644 --- a/tests/sessions_tests/tests.py +++ b/tests/sessions_tests/tests.py @@ -748,6 +748,9 @@ class SessionMiddlewareTests(TestCase): ), str(response.cookies[settings.SESSION_COOKIE_NAME]) ) + # SessionMiddleware sets 'Vary: Cookie' to prevent the 'Set-Cookie' + # from being cached. + self.assertEqual(response['Vary'], 'Cookie') @override_settings(SESSION_COOKIE_DOMAIN='.example.local', SESSION_COOKIE_PATH='/example/') def test_session_delete_on_end_with_custom_domain_and_path(self):