Fixed #23939 -- Moved session verification out of SessionAuthenticationMiddleware.

Thanks andrewbadr for the report and Carl Meyer for the review.
2025-10-24 06:06:09 +00:00 · 2014-12-03 07:33:44 -05:00
parent 26dd518b5c
commit b06dfad88f
5 changed files with 59 additions and 34 deletions
--- a/docs/releases/1.7.2.txt
+++ b/docs/releases/1.7.2.txt
@@ -104,3 +104,7 @@ Bugfixes

 * Fixed serialization of ``type`` when adding a ``deconstruct()`` method
  (:ticket:`23950`).
+
+* Prevented the
+  :class:`~django.contrib.auth.middleware.SessionAuthenticationMiddleware` from
+  setting a ``"Vary: Cookie"`` header on all responses.
--- a/docs/releases/1.7.txt
+++ b/docs/releases/1.7.txt
@@ -1461,8 +1461,8 @@ Miscellaneous

 * With the addition of the
  :class:`~django.contrib.auth.middleware.SessionAuthenticationMiddleware` to
-  the default project template, a database must be created before accessing
-  a page using :djadmin:`runserver`.
+  the default project template (pre-1.7.2 only), a database must be created
+  before accessing a page using :djadmin:`runserver`.

 .. _deprecated-features-1.7: