diff --git a/django/contrib/sessions/middleware.py b/django/contrib/sessions/middleware.py index 6e59390981..d36be4eca8 100644 --- a/django/contrib/sessions/middleware.py +++ b/django/contrib/sessions/middleware.py @@ -30,46 +30,45 @@ class SessionMiddleware(MiddlewareMixin): modified = request.session.modified empty = request.session.is_empty() except AttributeError: - pass + return response + # First check if we need to delete this cookie. + # The session should be deleted only if the session is entirely empty. + if settings.SESSION_COOKIE_NAME in request.COOKIES and empty: + response.delete_cookie( + settings.SESSION_COOKIE_NAME, + path=settings.SESSION_COOKIE_PATH, + domain=settings.SESSION_COOKIE_DOMAIN, + ) + patch_vary_headers(response, ('Cookie',)) else: - # First check if we need to delete this cookie. - # The session should be deleted only if the session is entirely empty - if settings.SESSION_COOKIE_NAME in request.COOKIES and empty: - response.delete_cookie( - settings.SESSION_COOKIE_NAME, - path=settings.SESSION_COOKIE_PATH, - domain=settings.SESSION_COOKIE_DOMAIN, - ) + if accessed: patch_vary_headers(response, ('Cookie',)) - else: - if accessed: - patch_vary_headers(response, ('Cookie',)) - if (modified or settings.SESSION_SAVE_EVERY_REQUEST) and not empty: - if request.session.get_expire_at_browser_close(): - max_age = None - expires = None - else: - max_age = request.session.get_expiry_age() - expires_time = time.time() + max_age - expires = http_date(expires_time) - # Save the session data and refresh the client cookie. - # Skip session save for 500 responses, refs #3881. - if response.status_code != 500: - try: - request.session.save() - except UpdateError: - raise SuspiciousOperation( - "The request's session was deleted before the " - "request completed. The user may have logged " - "out in a concurrent request, for example." - ) - response.set_cookie( - settings.SESSION_COOKIE_NAME, - request.session.session_key, max_age=max_age, - expires=expires, domain=settings.SESSION_COOKIE_DOMAIN, - path=settings.SESSION_COOKIE_PATH, - secure=settings.SESSION_COOKIE_SECURE or None, - httponly=settings.SESSION_COOKIE_HTTPONLY or None, - samesite=settings.SESSION_COOKIE_SAMESITE, + if (modified or settings.SESSION_SAVE_EVERY_REQUEST) and not empty: + if request.session.get_expire_at_browser_close(): + max_age = None + expires = None + else: + max_age = request.session.get_expiry_age() + expires_time = time.time() + max_age + expires = http_date(expires_time) + # Save the session data and refresh the client cookie. + # Skip session save for 500 responses, refs #3881. + if response.status_code != 500: + try: + request.session.save() + except UpdateError: + raise SuspiciousOperation( + "The request's session was deleted before the " + "request completed. The user may have logged " + "out in a concurrent request, for example." ) + response.set_cookie( + settings.SESSION_COOKIE_NAME, + request.session.session_key, max_age=max_age, + expires=expires, domain=settings.SESSION_COOKIE_DOMAIN, + path=settings.SESSION_COOKIE_PATH, + secure=settings.SESSION_COOKIE_SECURE or None, + httponly=settings.SESSION_COOKIE_HTTPONLY or None, + samesite=settings.SESSION_COOKIE_SAMESITE, + ) return response