Session key collision when using default DB Session backend

Hi Everyone,
I was running Django version 3.2 with default configurations of Session. The problem is i sometime face (in random order), suddenly UserB gets sessionid of UserA.

I debugged the network, django/or maybe my code is somehow changing the sessionid randomly.

I then migrated to Django Version 4.1 and the issue still exists, so it’s kind of sure something is wrong with the library i am using or my code. But i am not being able to debug, since the View/URL which is performing this behaviour is very clean codewise, it doesn’t do anything with sessions, it just saves the form and returns a response.

What i have done till now

  • Checked middlewares
  • Checked templatetags
    and trying to debug whole flow, but i am getting nowhere.

So with this question, i would like to ask some helps on how should i debug such problems?

Are you trying to test this with multiple tabs on the same system? Or are you testing this situation with different machines? (How are you verifying that this is happening?

I am able to replicate this on a different browser inside same computer and also in different machine as well.

is your database a master/slave configuration?

Nope, i am just using a single DB instance (Postgres)

There are two different possibilities here that I can think of off-hand -

  • The cookies are getting conflated between systems. That can be checked by examining the cookes on each - verifying at start that the cookies are unique between the two systems, then checking again after the accounts have been switched.

  • Something is changing the sessions - copying session data from one session id to the other. That would be checked in the database in the sessions table. (Bad caching of the session table perhaps?)

I don’t know what might be causing either of these, but it would be helpful to know where exactly the problem is occurring to help narrow the search.

I found out the root cause for my issue, it was because of using a globally initialized HttpResponse() object.

I moved this code inside func local, and everything was working fine.

This issue was because,

  1. When someone performs A operations, then i was modifying the session which got sticked with the globally defined HttpResponse()
  2. Now, whenever anyuser does B operation, which also uses the same globally defined HttpResponse() then a it works but also send the session which is sticked with this response object from STEP 1

Can we have a warning system in Django code when someone initializes HttpResponse globally ? Any views on this ? I am willing to work on it.

Thank you everyone for the help.