Fixed #3881 -- skip saving session when response status is 500

Saving session data is somewhat likely to lead into error when the status code is 500. It is guaranteed to lead into error if the reason for the 500 code is query error on PostgreSQL.
2012-07-05 18:09:48 +03:00 · 2012-07-05 18:09:48 +03:00 · aeda55e6bf
parent bebbbb7af0
commit aeda55e6bf
4 changed files with 34 additions and 7 deletions
--- a/django/contrib/sessions/middleware.py
+++ b/django/contrib/sessions/middleware.py
@ -33,11 +33,13 @@ class SessionMiddleware(object):
                    expires_time = time.time() + max_age
                    expires = cookie_date(expires_time)
                # Save the session data and refresh the client cookie.
-                request.session.save()
-                response.set_cookie(settings.SESSION_COOKIE_NAME,
-                        request.session.session_key, max_age=max_age,
-                        expires=expires, domain=settings.SESSION_COOKIE_DOMAIN,
-                        path=settings.SESSION_COOKIE_PATH,
-                        secure=settings.SESSION_COOKIE_SECURE or None,
-                        httponly=settings.SESSION_COOKIE_HTTPONLY or None)
+                # Skip session save for 500 responses, refs #3881.
+                if response.status_code != 500:
+                    request.session.save()
+                    response.set_cookie(settings.SESSION_COOKIE_NAME,
+                            request.session.session_key, max_age=max_age,
+                            expires=expires, domain=settings.SESSION_COOKIE_DOMAIN,
+                            path=settings.SESSION_COOKIE_PATH,
+                            secure=settings.SESSION_COOKIE_SECURE or None,
+                            httponly=settings.SESSION_COOKIE_HTTPONLY or None)
        return response
--- a/django/contrib/sessions/tests.py
+++ b/django/contrib/sessions/tests.py
@ -409,6 +409,22 @@ class SessionMiddlewareTests(unittest.TestCase):
        self.assertNotIn('httponly',
                         str(response.cookies[settings.SESSION_COOKIE_NAME]))

+    def test_session_save_on_500(self):
+        request = RequestFactory().get('/')
+        response = HttpResponse('Horrible error')
+        response.status_code = 500
+        middleware = SessionMiddleware()
+
+        # Simulate a request the modifies the session
+        middleware.process_request(request)
+        request.session['hello'] = 'world'
+
+        # Handle the response through the middleware
+        response = middleware.process_response(request, response)
+
+        # Check that the value wasn't saved above.
+        self.assertNotIn('hello', request.session.load())
+

 class CookieSessionTests(SessionTestsMixin, TestCase):

--- a/docs/releases/1.5.txt
+++ b/docs/releases/1.5.txt
@ -177,6 +177,12 @@ autocommit behavior was never restored. This bug is now fixed in 1.5. While
 this is only a bug fix, it is worth checking your applications behavior if
 you are using PostgreSQL together with the autocommit option.

+Session not saved on 500 responses
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Django's session middleware will skip saving the session data if the
+response's status code is 500.
+
 Miscellaneous
 ~~~~~~~~~~~~~

--- a/docs/topics/http/sessions.txt
+++ b/docs/topics/http/sessions.txt
@ -423,6 +423,9 @@ cookie will be sent on every request.
 Similarly, the ``expires`` part of a session cookie is updated each time the
 session cookie is sent.

+.. versionchanged:: 1.5
+  The session is not saved if the response's status code is 500.
+
 Browser-length sessions vs. persistent sessions
 ===============================================