Session key collision when using default DB Session backend

Using Django Forms & APIs
1

Hi Everyone,
I was running Django version 3.2 with default configurations of Session. The problem is i sometime face (in random order), suddenly UserB gets sessionid of UserA.

I debugged the network, django/or maybe my code is somehow changing the sessionid randomly.

I then migrated to Django Version 4.1 and the issue still exists, so it’s kind of sure something is wrong with the library i am using or my code. But i am not being able to debug, since the View/URL which is performing this behaviour is very clean codewise, it doesn’t do anything with sessions, it just saves the form and returns a response.

What i have done till now

  • Checked middlewares
  • Checked templatetags
    and trying to debug whole flow, but i am getting nowhere.

So with this question, i would like to ask some helps on how should i debug such problems?

2

Are you trying to test this with multiple tabs on the same system? Or are you testing this situation with different machines? (How are you verifying that this is happening?

3

I am able to replicate this on a different browser inside same computer and also in different machine as well.

4

is your database a master/slave configuration?

5

Nope, i am just using a single DB instance (Postgres)

6

There are two different possibilities here that I can think of off-hand -

  • The cookies are getting conflated between systems. That can be checked by examining the cookes on each - verifying at start that the cookies are unique between the two systems, then checking again after the accounts have been switched.

  • Something is changing the sessions - copying session data from one session id to the other. That would be checked in the database in the sessions table. (Bad caching of the session table perhaps?)

I don’t know what might be causing either of these, but it would be helpful to know where exactly the problem is occurring to help narrow the search.

7

I found out the root cause for my issue, it was because of using a globally initialized HttpResponse() object.

I moved this code inside func local, and everything was working fine.

This issue was because,

  1. When someone performs A operations, then i was modifying the session which got sticked with the globally defined HttpResponse()
  2. Now, whenever anyuser does B operation, which also uses the same globally defined HttpResponse() then a it works but also send the session which is sticked with this response object from STEP 1

Can we have a warning system in Django code when someone initializes HttpResponse globally ? Any views on this ? I am willing to work on it.

8

Thank you everyone for the help.