[5.2.x] Fixed CVE-2026-35192 -- Ensured Vary header is sent when setting session cookie with SESSION_SAVE_EVERY_REQUEST=True.

Thank you Jacob Walls and Natalia Bidart for reviews.

Backport of 7f6e9b5 from main.

Author: RealOrangeOne

django/contrib/sessions/middleware.py

@@ -40,10 +40,11 @@ def process_response(self, request, response):
                 domain=settings.SESSION_COOKIE_DOMAIN,
                 samesite=settings.SESSION_COOKIE_SAMESITE,
             )
-            patch_vary_headers(response, ("Cookie",))
+            need_vary_cookie = True
         else:
-            if accessed:
-                patch_vary_headers(response, ("Cookie",))
+            # If the session was accessed, it must be varied on, regardless of
+            # whether it was modified or will be saved.
+            need_vary_cookie = accessed
             if (modified or settings.SESSION_SAVE_EVERY_REQUEST) and not empty:
                 if request.session.get_expire_at_browser_close():
                     max_age = None
@@ -74,4 +75,8 @@ def process_response(self, request, response):
                         httponly=settings.SESSION_COOKIE_HTTPONLY or None,
                         samesite=settings.SESSION_COOKIE_SAMESITE,
                     )
+                    # With a session cookie set, it must be varied on.
+                    need_vary_cookie = True
+        if need_vary_cookie:
+            patch_vary_headers(response, ("Cookie",))
         return response

docs/releases/5.2.14.txt

@@ -20,3 +20,14 @@ relying on :setting:`FILE_UPLOAD_MAX_MEMORY_SIZE`.
 
 This issue has severity "low" according to the :ref:`Django security policy
 <security-disclosure>`.
+
+CVE-2026-35192: Session fixation via public cached pages and ``SESSION_SAVE_EVERY_REQUEST``
+===========================================================================================
+
+Response headers did not :ref:`vary on <using-vary-headers>` cookies if a
+session was not modified, but :setting:`SESSION_SAVE_EVERY_REQUEST` was
+``True``. A remote attacker could steal a user's session after that user visits
+a cached public page.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.

tests/sessions_tests/tests.py

@@ -1021,6 +1021,7 @@ def test_secure_session_cookie(self):
         # Handle the response through the middleware
         response = middleware(request)
         self.assertIs(response.cookies[settings.SESSION_COOKIE_NAME]["secure"], True)
+        self.assertEqual(response.headers["Vary"], "Cookie")
 
     @override_settings(SESSION_COOKIE_HTTPONLY=True)
     def test_httponly_session_cookie(self):
@@ -1161,6 +1162,7 @@ def response_ending_session(request):
             ),
             str(response.cookies[settings.SESSION_COOKIE_NAME]),
         )
+        self.assertEqual(response.headers["Vary"], "Cookie")
 
     def test_flush_empty_without_session_cookie_doesnt_set_cookie(self):
         def response_ending_session(request):
@@ -1178,6 +1180,32 @@ def response_ending_session(request):
         # The session is accessed so "Vary: Cookie" should be set.
         self.assertEqual(response.headers["Vary"], "Cookie")
 
+    @override_settings(SESSION_SAVE_EVERY_REQUEST=True)
+    def test_save_every_request_with_non_empty_session_renews_session_cookie(self):
+        request = self.request_factory.get("/")
+        middleware = SessionMiddleware(self.get_response_touching_session)
+
+        # Make sure the request has a session.
+        middleware(request)
+
+        # A cookie should be set.
+        self.assertIs(request.session.is_empty(), False)
+        self.assertEqual(request.session["hello"], "world")
+
+        request.COOKIES[settings.SESSION_COOKIE_NAME] = request.session.session_key
+
+        def simple_view(request):
+            return HttpResponse("Session test")
+
+        middleware = SessionMiddleware(simple_view)
+        response = middleware(request)
+
+        # A cookie should be set because SESSION_SAVE_EVERY_REQUEST=True,
+        # even though the session wasn't touched.
+        self.assertIn(settings.SESSION_COOKIE_NAME, response.cookies)
+        # There's a session, so also Vary on it.
+        self.assertEqual(response.headers["Vary"], "Cookie")
+
     def test_empty_session_saved(self):
         """
         If a session is emptied of data but still has a key, it should still