April 13, 2012

We recently upgraded to Django v1.4 and noticed that the session key was no longer being captured in our logs, or at least appearing as "None" instead of the unique identifier string. Normally these session keys are implicitly created on the first reference to request.session_key in your code (assuming that you include django.contrib.sessions middleware in your INSTALLED_APPS), but we noticed no new session cookies were being created. Inside django.contrib.sessions, normally request.session is created:

class SessionMiddleware(object):
def process_request(self, request):
    engine = import_module(settings.SESSION_ENGINE)
    session_key = request.COOKIES.get(settings.SESSION_COOKIE_NAME, None)
    request.session = engine.SessionStore(session_key)

Before Django v1.4, the request.session_key in django/backends/base.py is a property that will create a session key on the first reference:

def _get_session_key(self):
    if self._session_key:
        return self._session_key
    else:
        self._session_key = self._get_new_session_key()
        return self._session_key

Although Django v1.4 has documentation about a new signed cookie session approach, there is no mention of this change. It turns out that the session keys are no longer be explicitly created unless it is modified directly as shown in this diff:

https://code.djangoproject.com/changeset/17155

commit 864facf5ccc0879dde7e608a3bea3f4bee1d3a57
Author: aaugustin 
Date:   Sun Nov 27 17:52:24 2011 +0000

Fixed #11555 -- Made SessionBase.session_key read-only. Cleaned up code slightly. Refs #13478.

This also removes the implicit initialization of the session key on the first access in favor of explicit initialization.

In other words, it used to be that just referencing the session_key would cause its creation. The implications are that you must explicitly initialize a session key somewhere in your middleware code. If you start noticing None session keys, chances are that you were operating under this assumption. The fix is to create one somewhere in your middleware.

If your middleware comes after django.contrib.sessions.middleware.SessionMiddleware, then you could initialize the key with the following:
if hasattr(request, 'session') and hasattr(request.session, 'session_key') and getattr(request.session, 'session_key') is None:
  logging.debug("Creating a session key since there is none..")
  request.session.create()

This bug (with a proposed fix) has been filed in: https://code.djangoproject.com/ticket/18128



blog comments powered by Disqus