Fixed #29471 -- Added 'Vary: Cookie' to invalid/empty session cookie responses.

2025-10-31 09:41:08 +00:00 · 2019-03-18 18:15:06 +03:00
parent d64808cacd
commit dc740dde50
3 changed files with 5 additions and 0 deletions
--- a/1
+++ b/1
@@ -45,6 +45,7 @@ answer newbie questions, and generally made Django that much better:
    Alex Ogier <alex.ogier@gmail.com>
    Alex Robbins <alexander.j.robbins@gmail.com>
    Alexey Boriskin <alex@boriskin.me>
+    Alexey Tsivunin <most-208@yandex.ru>
    Aljosa Mohorovic <aljosa.mohorovic@gmail.com>
    Amit Chakradeo <https://amit.chakradeo.net/>
    Amit Ramon <amit.ramon@gmail.com>
--- a/django/contrib/sessions/middleware.py
+++ b/django/contrib/sessions/middleware.py
@@ -40,6 +40,7 @@ class SessionMiddleware(MiddlewareMixin):
                    path=settings.SESSION_COOKIE_PATH,
                    domain=settings.SESSION_COOKIE_DOMAIN,
                )
+                patch_vary_headers(response, ('Cookie',))
            else:
                if accessed:
                    patch_vary_headers(response, ('Cookie',))
--- a/tests/sessions_tests/tests.py
+++ b/tests/sessions_tests/tests.py
@@ -748,6 +748,9 @@ class SessionMiddlewareTests(TestCase):
            ),
            str(response.cookies[settings.SESSION_COOKIE_NAME])
        )
+        # SessionMiddleware sets 'Vary: Cookie' to prevent the 'Set-Cookie'
+        # from being cached.
+        self.assertEqual(response['Vary'], 'Cookie')

    @override_settings(SESSION_COOKIE_DOMAIN='.example.local', SESSION_COOKIE_PATH='/example/')
    def test_session_delete_on_end_with_custom_domain_and_path(self):