Inside django.contrib.sessions, normally request.session is created:
class SessionMiddleware(object):Before Django v1.4, the request.session_key in django/backends/base.py is a property that will create a session key on the first reference:
def process_request(self, request):
engine = import_module(settings.SESSION_ENGINE)
session_key = request.COOKIES.get(settings.SESSION_COOKIE_NAME, None)
request.session = engine.SessionStore(session_key)
def _get_session_key(self):Although Django v1.4 has documentation about a new signed cookie session approach, there is no mention of this change. It turns out that the session keys are no longer be explicitly created unless it is modified directly as shown in this diff:
self._session_key = self._get_new_session_key()
commit 864facf5ccc0879dde7e608a3bea3f4bee1d3a57In other words, it used to be that just referencing the session_key would cause its creation. The implications are that you must explicitly initialize a session key somewhere in your middleware code. If you start noticing None session keys, chances are that you were operating under this assumption. The fix is to create one somewhere in your middleware.
Date: Sun Nov 27 17:52:24 2011 +0000
Fixed #11555 -- Made SessionBase.session_key read-only. Cleaned up code slightly. Refs #13478.
This also removes the implicit initialization of the session key on the first access in favor of explicit initialization.
If your middleware comes after django.contrib.sessions.middleware.SessionMiddleware, then you could initialize the key with the following:
if hasattr(request, 'session') and hasattr(request.session, 'session_key') and getattr(request.session, 'session_key') is None:
logging.debug("Creating a session key since there is none..")
This bug (with a proposed fix) has been filed in: https://code.djangoproject.com/ticket/18128