Re: [Django] #34571: Request with invalid session after concurrent logout or session timeout is considered a BadRequest

Tue, 16 May 2023 09:22:49 -0700 

#34571: Request with invalid session after concurrent logout or session timeout 
is
considered a BadRequest
-------------------------------------+-------------------------------------
     Reporter:  Daniel Nunes         |                    Owner:  nobody
         Type:  Uncategorized        |                   Status:  new
    Component:  contrib.sessions     |                  Version:  3.2
     Severity:  Normal               |               Resolution:
     Keywords:  session, session     |             Triage Stage:
  bad request                        |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Description changed by Daniel Nunes:

Old description:

> When working with multiple tabs, if a user logs out or his session times
> out, any concurrent request happening in another tab will be considered a
> bad request. See the {{{SessionInterrupted}}}
> [https://github.com/django/django/blob/e1bbbbe6acb69e755554088bc573cc1835673209/django/contrib/sessions/middleware.py#L63-L67/
> exception raised].
>

> I see that
> [https://github.com/django/django/pull/13395#pullrequestreview-484706827/
> @carltongibson was slightly worried about the status code] and I feel the
> same. This for me should be handled as **forbidden**
> ({{{SessionInterrupted}}} being a subclass of {{{PermissionDenied}}})
> because the request is actually well-formed, but it's not allowed
> anymore.
>
> What do you think?

New description:

 When working with multiple tabs, if a user logs out or his session times
 out, any concurrent request happening in another tab will be considered a
 bad request. See the {{{SessionInterrupted}}}
 
[https://github.com/django/django/blob/e1bbbbe6acb69e755554088bc573cc1835673209/django/contrib/sessions/middleware.py#L63-L67/
 exception raised].


 I see that
 [https://github.com/django/django/pull/13395#pullrequestreview-484706827
 @carltongibson was slightly worried about the status code] and I feel the
 same. This for me should be handled as **forbidden**
 ({{{SessionInterrupted}}} being a subclass of {{{PermissionDenied}}})
 because the request is actually well-formed, but it's not allowed anymore.

 What do you think?

--

-- 
Ticket URL: <https://code.djangoproject.com/ticket/34571#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070188255f04b0-68b5f80f-c420-4bff-85e2-981edc4f18d7-000000%40eu-central-1.amazonses.com.

Reply via email to