[Django] #29450: Redirect using HTTP status "303 See Other" for django.http.response HttpResponseRedirect

[Django]

#29450: Redirect using HTTP status "303 See Other" for django.http.response
HttpResponseRedirect
-------------------------------------+-------------------------------------
               Reporter:  Duane      |          Owner:  nobody
  Hutchins                           |
                   Type:             |         Status:  new
  Cleanup/optimization               |
              Component:  HTTP       |        Version:  master
  handling                           |       Keywords:  http redirect 302
               Severity:  Normal     |  303
           Triage Stage:             |      Has patch:  0
  Unreviewed                         |
    Needs documentation:  0          |    Needs tests:  0
Patch needs improvement:  0          |  Easy pickings:  1
                  UI/UX:  0          |
-------------------------------------+-------------------------------------
 Regarding:
 
[https://docs.djangoproject.com/en/2.0/_modules/django/http/response/#HttpResponseRedirect
 django.http.response HttpResponseRedirect]

 Current redirects use http status 302, which is fine most of the time, but
 it can cause issues if browser caching is permitted.

 For example:

 * Cache-Control allows caching globally
 * User is logged in
 * User logs out (GET response = 302 redirect)
 * This response is cached by the browser
 * User logs back in
 * User attempts to log out again
 * Browse serves cached response from disk and redirects without request
 revalidation
 * Result: User is not actually logged out

 Caching breaks the response, which is why HTTP Status 303 redirects do not
 allow caching. They are more appropriate than 302 redirects.
 https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3.3

 Note that 303 redirects are not HTTP/1.0 compatible. A quick check shows
 that every modern browser now supports http/1.1 or higher. Still, 302
 redirect responses can still be served for http/1.0 requests, if that's a
 concern.

 Two other tickets (#13277 and #6227) requested this fix 8+ years ago, and
 they were closed because http/1.0 was still in common use at the time.

 Now that http/1.0 is no longer in common use, can we change this redirect
 to 303?

-- 
Ticket URL: <https://code.djangoproject.com/ticket/29450>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/056.e6a743ed6d1e8f6736e35728d2bc8a93%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.