From a735bd940104996a04c25862bf4e2af2ebde2745 Mon Sep 17 00:00:00 2001 From: pyxelr Date: Tue, 23 Jun 2026 12:12:14 +0200 Subject: [PATCH] Remove duplicate CommonMiddleware from MIDDLEWARE django.middleware.common.CommonMiddleware was listed twice in the MIDDLEWARE tuple. Symptoms when the chain runs twice: * For users whose django_session.session_data row cannot be verified by signing.loads (e.g. after a SECRET_KEY rotation), the second pass of CommonMiddleware.process_response runs against responses for which the session/messages state ends up half-initialised, surfacing as a generic 500 page with no traceback on every 404 path, every APPEND_SLASH 301, and assets like /favicon.ico. With-slash URLs that match a real view return 200 because the corruption is silently swallowed (decode -> {}). * Content-Length is computed twice on every response. Removing the duplicate restores the standard middleware behaviour: a corrupted session decodes to {} once, the user is treated as anonymous, and 404/redirect responses are returned normally. --- src/settings/base.py | 1 - 1 file changed, 1 deletion(-) diff --git a/src/settings/base.py b/src/settings/base.py index 47c76ad6b..b4e57ae45 100644 --- a/src/settings/base.py +++ b/src/settings/base.py @@ -92,7 +92,6 @@ 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', # 'corsheaders.middleware.CorsMiddleware', # BB - 'django.middleware.common.CommonMiddleware', 'middleware.BlockBannedUsersMiddleware' )