Re: [Django] #15855: cache_page decorator bypasses any Vary headers set in middleware

Thu, 09 Jun 2011 04:53:16 -0700 

#15855: cache_page decorator bypasses any Vary headers set in middleware
-------------------------------------+-------------------------------------
               Reporter:  carljm     |          Owner:  nobody
                   Type:  Bug        |         Status:  new
              Milestone:             |      Component:  Core (Cache system)
                Version:             |       Severity:  Normal
             Resolution:             |       Keywords:
           Triage Stage:  Design     |      Has patch:  1
  decision needed                    |    Needs tests:  0
    Needs documentation:  0          |  Easy pickings:  0
Patch needs improvement:  0          |
                  UI/UX:  0          |
-------------------------------------+-------------------------------------

Comment (by carljm):

 Replying to [comment:5 lukeplant]:
 > It still hasn't been explained **why** `@vary_on_cookie` and
 `@cache_page` don't work with CSRF pages. Idan had a sentence that looked
 like it was about to explain it and then stopped. I'm guessing it is do
 with the cookie being set by the middleware **after** the page has been
 cached. Would the documentation be fixed by adding `@csrf_protect` into
 the stack of decorators?

 Which is why a new ticket should be created, so the actual problem can be
 clearly identified and dealt with appropriately, without muddying the
 waters of this ticket. As far as **this** ticket goes, the current
 workaround documented in the CSRF docs **is** correct, and clearly so:
 vary_on_cookie does in fact add the Vary: Cookie header, which
 unequivocally fixes the problem of the response not having the Vary:
 Cookie header. And that's the only problem this ticket is concerned about.

 If there is a different problem with the current CSRF docs that needs
 fixing, then it is a CSRF-specific problem unrelated to this ticket (even
 if it seems superficially related because it involves the cache_page
 header).

-- 
Ticket URL: <https://code.djangoproject.com/ticket/15855#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Reply via email to