Closed Bug 1262424 Opened 9 years ago Closed 4 years ago

Avoid settings sessions on API queries

Categories

(Socorro :: Webapp, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: peterbe, Assigned: willkg)

References

Details

Attachments

(2 files, 1 obsolete file)

If you use the /api/*/ with an Auth-Token, that's basically the "equivalent" of sending a `Cookie: sessionid=xxxx` header on the request. But you don't. The Auth-Token is a "hack" that does the same effect as passing a request header cookie. However, because you don't already have a `sessionid` cookie, Django thinks you need one and it generates a new session and on the response it includes: `Set-Cookie: sessionid=xyz123`. Because the client (who uses curl), ignores this and just continues to use the Auth-Token, the next request will incur the same session creation. To reproduce, 1) fish out a Auth-Token and be prepare to curl that 2) open your local postgres and look at `select count(*) from django_session;` 3) run `curl -H "Auth-Token: YOURTOKEN"`. 4) Run that curl thing 9 more times. 5) Run `select count(*) from django_session;` again and you'll notice that it's gone up by 10. The solution is to somehow tell Django to NOT bother generating a session cookie for all requests on /api/*/. In fact we don't want to do this by white or black listing URLs but to set a decorator on the `crashstats.api.views.model_wrapper` function.

Grabbing this.

Assignee: nobody → willkg
Status: NEW → ASSIGNED

One curious thing that I hit, but didn't spend time looking into is that adding the @anonymous_csrf_exempt decorator to the view didn't do anything--it still created an anonymous csrf token.

On second thought, I'm going to rethink that PR.

Attachment #9204004 - Attachment is obsolete: true

Found another issue that caused the API to create a session cookie. Also, I fixed a bug where if you're using the API, but using it from a browser while logged in (like from the API docs page), it would whack your login.

I retested it on stage:

Need to test these scenarios:

  1. curl with no auth token
  2. curl with auth token
  3. from api reference while not logged in
  4. from api reference while logged in

Looks ok to me. No new cookies.

I pushed this to prod in bug #1693645. Marking as FIXED.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: