StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POWhy is using thread locals in Django bad?
primarykey
Id
3227180
data
AcceptedAnswerId
3227515
AnswerCount
3
ClosedDate
CommentCount
3
CommunityOwnedDate
CreationDate
2010-07-12T09:21:48.627
FavoriteCount
20
LastActivityDate
2016-09-04T05:22:57.057
LastEditDate
2011-11-19T23:57:15.653
LastEditorUserId
1502059
OwnerUserId
84952
ParentId
0
PostTypeId
1
Score
42
ViewCount
11338
LastEditorDisplayName
text
Body
I am using thread locals to store the current user and request objects. This way I can have easy access to the request from anywhere in the programme (e.g. dynamic forms) without having to pass them around. To implement the thread locals storage in a middleware, I followed a tutorial on the Django site: <a href="http://code.djangoproject.com/wiki/CookBookThreadlocalsAndUser?version=18" rel="noreferrer">http://code.djangoproject.com/wiki/CookBookThreadlocalsAndUser?version=18</a> This document has since been modified to suggest avoiding this technique: <a href="http://code.djangoproject.com/wiki/CookBookThreadlocalsAndUser?version=20" rel="noreferrer">http://code.djangoproject.com/wiki/CookBookThreadlocalsAndUser?version=20</a> From the article: <blockquote> From a design point of view, threadlocals are essentially global variables, and are subject to all the usual problems of portability and predictability that global variables usually entail. More importantly, from a security point of view, threadlocals pose a huge risk. By providing an data store that exposes the state of other threads, you provide a way for one thread in your web server to potentially modify the state of another thread in the system. If the threadlocal data contains descriptions of users or other authentication-related data, that data could be used as the basis for an attack that grants access to an unauthorized user, or exposes private details of a user. While it is possible to build a threadlocal system that is safe from this sort of attack, it's a lot easier to be defensive and build a system that isn't subject to any such vulnerability in the first place. </blockquote> I understand why global variables can be bad, but in this case I'm running my own code on my own server so I can't see what danger two global variables pose. Can someone explain the security issue involved? I have asked many people how they would hack my application if they read this article and know I'm using thread locals, yet no one has been able to tell me. I am starting to suspect that this is an opinion held by hair-splitting purists who love to pass objects explicitly.
Tags
<python><django><thread-local>
Title
Why is using thread locals in Django bad?
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USNick Bastin
UserOwnerUserId
1. UShekevintran
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
2. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
3. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
2. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POWhy is using thread locals in Django bad?
 UserUserId
 USValentin Golev
 VoteTypeVoteTypeId
 VTFavorite
2. VO
 singulars
 PostPostId
 POWhy is using thread locals in Django bad?
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 POWhy is using thread locals in Django bad?
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. COBy the way - do you have the original example? It's deleted now and I want to use that...
 singulars
 PostPostId
 POWhy is using thread locals in Django bad?
 UserUserId
 USrslite
2. COThis snippet is pretty similar to the deleted page: http://djangosnippets.org/snippets/2179/
 singulars
 PostPostId
 POWhy is using thread locals in Django bad?
 UserUserId
 UShekevintran

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.