In my django app, I handle login in the following manner. Users go to a gateway page (index.html) - if they are not currently logged in, there will be a login/password form along with the other material. On successful login (or if they otherwise go to that page while logged in), the page is rendered slightly differently (sans login form).

The way I am handling that is in the view for index.html I do:

logged_in = request.user.is_authenticated()

and then the logged_in variable is passed to the template, which is checked to see which version of the page it renders.

When a user logs in, the login view calls:

user = authenticate(username=username, password=password)
if user is not none:
    login(request, user)

And then they are redirected back to index.html.

More often than not, this works perfectly fine. What I see though is that sometimes between the HttpResponseRedirect and the index view is that request.user is wiped out. I have been logging this for a while now, writing to the log as the last item in the login view and first item in the index view. The effect it has for the user is that it looks like they incorrectly logged in (except w/ no message telling them that).

It does seem to come in spurts, as in the system will be fine for a while, and then I'll see it happen to a user 4-5 times in a row. I should also note that I've never seen/heard of this happening at any point except at the login, as far as I can tell (it is possible that it has happened and no one has complained) once they're in, they're in.

Am I doing something obviously wrong with my login methodology here?

+1  A: 

Apache+Mod Python or WSGI use threads and may pre cache your requests (depends on your conf). So if you changed something in code you have to restart your apache. then the problem should disapear.

That was one thing I thought of (and restarting the server does seem to fix it if it is getting really bad), but this will happen when the server hasn't been touched (code wise) in weeks. Is it possible to turn off the request caching for Apache/mod_python and/or is it wise to do so? This is a pretty low volume site, so the speed angle isn't a big deal here.

Geoff, Did you ever resolve this? We're getting similar things at our site -- which is in production and ramping up on the volume. Same conf with Apache+Mod_Python and WSGI. I'm hoping you have had a revelation, Sincerely, Almost/always Working

No. I basically cheated using cookies (which introduces a massive security hole, but given the exact situation we're willing to live with it - it isn't a public facing site by any means), and if it detects the session is lost it'll recreate it for them. It's an ugly hack, and definitely wouldn't be good for any site accessible to the public, but it at least works here. I haven't had a chance to revisit and see if updates to all relevant software helps or things like that.