Closed
Bug 1262424
Opened 9 years ago
Closed 4 years ago
Avoid settings sessions on API queries
Categories
(Socorro :: Webapp, task)
Socorro
Webapp
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: peterbe, Assigned: willkg)
References
Details
Attachments
(2 files, 1 obsolete file)
If you use the /api/*/ with an Auth-Token, that's basically the "equivalent" of sending a `Cookie: sessionid=xxxx` header on the request. But you don't. The Auth-Token is a "hack" that does the same effect as passing a request header cookie.
However, because you don't already have a `sessionid` cookie, Django thinks you need one and it generates a new session and on the response it includes: `Set-Cookie: sessionid=xyz123`. Because the client (who uses curl), ignores this and just continues to use the Auth-Token, the next request will incur the same session creation.
To reproduce,
1) fish out a Auth-Token and be prepare to curl that
2) open your local postgres and look at `select count(*) from django_session;`
3) run `curl -H "Auth-Token: YOURTOKEN"`.
4) Run that curl thing 9 more times.
5) Run `select count(*) from django_session;` again and you'll notice that it's gone up by 10.
The solution is to somehow tell Django to NOT bother generating a session cookie for all requests on /api/*/. In fact we don't want to do this by white or black listing URLs but to set a decorator on the `crashstats.api.views.model_wrapper` function.
Assignee | ||
Comment 4•4 years ago
|
||
Assignee | ||
Comment 5•4 years ago
|
||
One curious thing that I hit, but didn't spend time looking into is that adding the @anonymous_csrf_exempt
decorator to the view didn't do anything--it still created an anonymous csrf token.
On second thought, I'm going to rethink that PR.
Assignee | ||
Updated•4 years ago
|
Attachment #9204004 -
Attachment is obsolete: true
Assignee | ||
Comment 6•4 years ago
|
||
Assignee | ||
Comment 7•4 years ago
|
||
Assignee | ||
Comment 8•4 years ago
|
||
Found another issue that caused the API to create a session cookie. Also, I fixed a bug where if you're using the API, but using it from a browser while logged in (like from the API docs page), it would whack your login.
Assignee | ||
Comment 9•4 years ago
|
||
Assignee | ||
Comment 10•4 years ago
|
||
willkg merged PR #5690: "bug 1262424: fix another session issue and a bug" in 0be4009.
Once this goes to stage, I'll retest it.
Assignee | ||
Comment 11•4 years ago
|
||
I retested it on stage:
Need to test these scenarios:
- curl with no auth token
- curl with auth token
- from api reference while not logged in
- from api reference while logged in
Looks ok to me. No new cookies.
Assignee | ||
Comment 12•4 years ago
|
||
I pushed this to prod in bug #1693645. Marking as FIXED.
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•