Closed Bug 1214033 Opened 10 years ago Closed 8 years ago

Session CSRF cookies not needed for API views

Categories

(Socorro :: Webapp, task)

Product:
Socorro
Component:
Webapp
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1262424

People

(Reporter: peterbe, Unassigned)

Details

Attachments

(1 file)

Link to Github pull-request: https://github.com/mozilla/socorro/pull/3266
44 bytes, text/x-github-pull-request
Details | Review
E.g. `curl -v https://crash-stats.mozilla.com/api/CrontabberState/ > /dev/null` shows that it sets a session cookie. We never need that. The point of setting that cookie is so that we check a CSRF cookie. That's never applicable on the API.
Assignee: nobody → peterbe
Ultimately this is premature optimization. Setting a session cookie in memcache isn't particularly expensive considering the types of loads and traffic we have. If we had gobs of API traffic this could be worth pursuing because, after all, creating a CSRF cookie does store a row in the django_sessions postgres table. A simpler solution might be to override the existing CSRF middleware classes and have it exit out early if the request path is /api/*.
Assignee: peterbe → nobody
In the comments for PR 3266, we talked about working on bug #1262424 instead. I'm just going to dupe this to that one.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: