Re: [Django] #34571: Request with invalid session after concurrent logout or session timeout is considered a BadRequest

[Django]

#34571: Request with invalid session after concurrent logout or session timeout 
is
considered a BadRequest
-------------------------------------+-------------------------------------
     Reporter:  Daniel Nunes         |                    Owner:  nobody
         Type:  Uncategorized        |                   Status:  new
    Component:  contrib.sessions     |                  Version:  3.2
     Severity:  Normal               |               Resolution:
     Keywords:  session, session     |             Triage Stage:
  bad request                        |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Description changed by Daniel Nunes:

Old description:

> When working with multiple tabs, if a user logs out or his session times
> out, any concurrent request happening in another tab will be considered a
> bad request. See the {{{SessionInterrupted}}}
> [https://github.com/django/django/blob/e1bbbbe6acb69e755554088bc573cc1835673209/django/contrib/sessions/middleware.py#L63-L67/
> exception raised].
>

> I see that
> [https://github.com/django/django/pull/13395#pullrequestreview-484706827/
> @carltongibson was slightly worried about the status code] and I feel the
> same. This for me should be handled as **forbidden** because the request
> is actually well-formed, but it's not allowed anymore.
>
> What do you think?

New description:

 When working with multiple tabs, if a user logs out or his session times
 out, any concurrent request happening in another tab will be considered a
 bad request. See the {{{SessionInterrupted}}}
 
[https://github.com/django/django/blob/e1bbbbe6acb69e755554088bc573cc1835673209/django/contrib/sessions/middleware.py#L63-L67/
 exception raised].


 I see that
 [https://github.com/django/django/pull/13395#pullrequestreview-484706827/
 @carltongibson was slightly worried about the status code] and I feel the
 same. This for me should be handled as **forbidden**
 ({{{SessionInterrupted}}} being a subclass of {{{PermissionDenied}}})
 because the request is actually well-formed, but it's not allowed anymore.

 What do you think?

--

-- 
Ticket URL: <https://code.djangoproject.com/ticket/34571#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070188255820c0-6dea08a6-4abb-4b3e-b1d9-74475665d338-000000%40eu-central-1.amazonses.com.