summaryrefslogtreecommitdiff
path: root/django/contrib/sessions/middleware.py
AgeCommit message (Collapse)Author
2022-11-24Fixed #34173 -- Skipped saving sessions on 5xx responses.SirAbhi13
2022-02-07Refs #33476 -- Reformatted code with Black.django-bot
2021-01-14Refs #26601 -- Made get_response argument required and don't accept None in ↵Mariusz Felisiak
middleware classes. Per deprecation timeline.
2020-09-09Fixed #31962 -- Made SessionMiddleware raise SessionInterrupted when session ↵Hasan Ramezani
destroyed while request is processing.
2020-08-28Refs #31928 -- Made SessionMiddleware call super().__init__().Kevin Michel
2020-07-16Fixed #31790 -- Fixed setting SameSite and Secure cookies flags in ↵Mariusz Felisiak
HttpResponse.delete_cookie(). Cookies with the "SameSite" flag set to None and without the "secure" flag will be soon rejected by latest browser versions. This affects sessions and messages cookies.
2020-03-18Fixed #31224 -- Added support for asynchronous views and middleware.Andrew Godwin
This implements support for asynchronous views, asynchronous tests, asynchronous middleware, and an asynchronous test client.
2020-02-18Refs #26601 -- Deprecated passing None as get_response arg to middleware ↵Claude Paroz
classes. This is the new contract since middleware refactoring in Django 1.10. Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2019-05-29Simplified SessionMiddleware.process_response() a bit.Daniel Hahler
2019-03-21Fixed #29471 -- Added 'Vary: Cookie' to invalid/empty session cookie responses.birthdaysgift
2018-04-13Fixed #27863 -- Added support for the SameSite cookie flag.Alex Gaynor
Thanks Alex Gaynor for contributing to the patch.
2018-01-02Fixed #28965 -- Updated Set-Cookie's Expires date format to follow RFC 7231.Alexey
2016-11-01Fixed #27363 -- Replaced unsafe redirect in SessionMiddleware with ↵Andrew Nester
SuspiciousOperation.
2016-06-21Fixed #26783 -- Fixed SessionMiddleware's empty cookie deletion when using ↵Jon Dufresne
SESSION_COOKIE_PATH.
2016-05-17Fixed #26601 -- Improved middleware per DEP 0005.Florian Apolloner
Thanks Tim Graham for polishing the patch, updating the tests, and writing documentation. Thanks Carl Meyer for shepherding the DEP.
2016-04-08Fixed E128 flake8 warnings in django/.Tim Graham
2016-02-26Fixed #21608 -- Prevented logged out sessions being resurrected by ↵Tore Lundqvist
concurrent requests. Thanks Simon Charette for the review.
2015-08-18Fixed DoS possiblity in contrib.auth.views.logout()Tim Graham
Thanks Florian Apolloner and Carl Meyer for review. This is a security fix.
2015-05-15Fixed #24799 -- Fixed session cookie deletion when using SESSION_COOKIE_DOMAINBo Lopker
2015-05-13Removed unnecessary arguments in .get method callsPiotr Jakimiak
2015-02-06Sorted imports with isort; refs #23860.Tim Graham
2014-05-11Fixed #20936 -- When logging out/ending a session, don't create a new, empty ↵Matt Robenolt
session. Previously, when logging out, the existing session was overwritten by a new sessionid instead of deleting the session altogether. This behavior added overhead by creating a new session record in whichever backend was in use: db, cache, etc. This extra session is unnecessary at the time since no session data is meant to be preserved when explicitly logging out.
2013-11-02More attacking E302 violatorsAlex Gaynor
2013-07-29Deprecated django.utils.importlibClaude Paroz
This was a shim for pre-Python 2.7 support.
2013-06-30Define the SessionStore inside __init__ instead of process_requestMatt Robenolt
It's unnecessary to run this on every request, since technically, settings *should be* immutable.
2012-07-16Fixed #3881 -- skip saving session when response status is 500Anssi Kääriäinen
Saving session data is somewhat likely to lead into error when the status code is 500. It is guaranteed to lead into error if the reason for the 500 code is query error on PostgreSQL.
2010-11-26Fixed #3304 -- Added support for HTTPOnly cookies. Thanks to arvin for the ↵Russell Keith-Magee
suggestion, and rodolfo for the draft patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@14707 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-03-18Fixed #8193: all dynamic imports in Django are now done correctly. I know ↵Jacob Kaplan-Moss
this because Brett Cannon borrowed the time machine and brought Python 2.7's '`importlib` back for inclusion in Django. Thanks for the patch-from-the-future, Brett! git-svn-id: http://code.djangoproject.com/svn/django/trunk@10088 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-17Fixed #9096 -- Fixed a slightly out-of-date comment.Malcolm Tredinnick
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9062 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-07-30Removed TEST_COOKIE_NAME and TEST_COOKIE_VALUE constants fromMalcolm Tredinnick
sessions.middleware. They haven't been used here since the great refactor and are duplicated in sessions.backends.base.SessionBase. git-svn-id: http://code.djangoproject.com/svn/django/trunk@8156 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-06-23Several Django styling fixes in the `contrib.sessions` app.Gary Wilson Jr
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7725 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-06-07Fixed #2548: added get/set_expiry methods to session objects. Thanks, Amit ↵Jacob Kaplan-Moss
Upadhyay and SmileyChris. git-svn-id: http://code.djangoproject.com/svn/django/trunk@7586 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-10-31Fixed #5816 -- Fixed a regression from [6333] that generates incorrect ↵Gary Wilson Jr
cookie "expires" dates when using a locale other than English. Introduced `http_date` and `cookie_date` utility functions. Thanks for the report Michael Lemaire. Thanks for the patch Karen Tracey and `SmileyChris`. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6634 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-10-29Fixed imports, indention, and a long line.Gary Wilson Jr
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6628 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-10-20Fixed #4724 -- Added support for configurable session cookie paths. Helps withMalcolm Tredinnick
multiple Django installs under the same hostname. Thanks, frej and Graham Dumpleton. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6545 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-09-15Fixed #2066: session data can now be stored in the cache or on the ↵Jacob Kaplan-Moss
filesystem. This should be fully backwards-compatible (the database cache store is still the default). A big thanks to John D'Agostino for the bulk of this code. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6333 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-07-16Fixed #4199 -- Changed date formatting in HTTP expires header to be specMalcolm Tredinnick
compliant. Thanks, Chris Bennett. git-svn-id: http://code.djangoproject.com/svn/django/trunk@5712 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-07-03Fixed #4729 -- SessionWrapper.pop now sets modified flag if necessary. ↵Adrian Holovaty
Thanks, Ben Slavin, SmileyChris and Collin Grady git-svn-id: http://code.djangoproject.com/svn/django/trunk@5592 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-05-21Fixed #4338 -- Added pop() method to SessionWrapper. Thanks, Gary Wilson.Malcolm Tredinnick
git-svn-id: http://code.djangoproject.com/svn/django/trunk@5306 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-03-22Reduced the chances of session object collision. The window of opportunity isMalcolm Tredinnick
now about five Python instructions in get_or_create(). This doesn't guarantee no collisions, but should fix many occurrences. Refs #1180. git-svn-id: http://code.djangoproject.com/svn/django/trunk@4771 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-03-08Fixed #3586 -- Only output "Vary: Cookie" HTTP header when the session objectMalcolm Tredinnick
is accessed. Leads to better caching performance. Thanks, Owen Griffiths. git-svn-id: http://code.djangoproject.com/svn/django/trunk@4680 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-01-25Fixed #2133 -- Invalid session cookie no longer causes fatal error. Thanks, ↵Adrian Holovaty
greg-django@abbas.org git-svn-id: http://code.djangoproject.com/svn/django/trunk@4423 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-08-12Fixed #2523 -- Added SESSION_COOKIE_SECURE setting. Thanks, mir@noris.deAdrian Holovaty
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3570 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-06-08Fixed #2109 -- Convert old-style classes to new-style classes throughout ↵Adrian Holovaty
Django. Thanks, Nicola Larosa git-svn-id: http://code.djangoproject.com/svn/django/trunk@3113 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-06-01Fixed #395 -- Added SESSION_EXPIRE_AT_BROWSER_CLOSE setting, which regulates ↵Adrian Holovaty
whether session framework should use browser-session-length cookies. git-svn-id: http://code.djangoproject.com/svn/django/trunk@3049 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-05-02MERGED MAGIC-REMOVAL BRANCH TO TRUNK. This change is highly ↵Adrian Holovaty
backwards-incompatible. Please read http://code.djangoproject.com/wiki/RemovingTheMagic for upgrade instructions. git-svn-id: http://code.djangoproject.com/svn/django/trunk@2809 bcc190cf-cafb-0310-a4f2-bffc1f526a37