Fixed #29471 -- Added 'Vary: Cookie' to invalid/empty session cookie responses.

AUTHORS

@@ -45,6 +45,7 @@ answer newbie questions, and generally made Django that much better:
     Alex Ogier <alex.ogier@gmail.com>
     Alex Robbins <alexander.j.robbins@gmail.com>
     Alexey Boriskin <alex@boriskin.me>
+    Alexey Tsivunin <most-208@yandex.ru>
     Aljosa Mohorovic <aljosa.mohorovic@gmail.com>
     Amit Chakradeo <https://amit.chakradeo.net/>
     Amit Ramon <amit.ramon@gmail.com>

django/contrib/sessions/middleware.py

@@ -40,6 +40,7 @@ class SessionMiddleware(MiddlewareMixin):
                     path=settings.SESSION_COOKIE_PATH,
                     domain=settings.SESSION_COOKIE_DOMAIN,
                 )
+                patch_vary_headers(response, ('Cookie',))
             else:
                 if accessed:
                     patch_vary_headers(response, ('Cookie',))

tests/sessions_tests/tests.py

@@ -748,6 +748,9 @@ class SessionMiddlewareTests(TestCase):
             ),
             str(response.cookies[settings.SESSION_COOKIE_NAME])
         )
+        # SessionMiddleware sets 'Vary: Cookie' to prevent the 'Set-Cookie'
+        # from being cached.
+        self.assertEqual(response['Vary'], 'Cookie')
 
     @override_settings(SESSION_COOKIE_DOMAIN='.example.local', SESSION_COOKIE_PATH='/example/')
     def test_session_delete_on_end_with_custom_domain_and_path(self):