Issue 3458: gerrit-review returns HTTP 400 response for subsequent requests when using requests.session
Project Member Reported by david.pu...@sonymobile.com, Jun 25, 2015
*****************************************************************
*****                                                       *****
***** !!!! THIS BUG TRACKER IS FOR GERRIT CODE REVIEW !!!!  *****
*****                                                       *****
***** DO NOT SUBMIT BUGS FOR CHROME, ANDROID, CYANOGENMOD,  *****
***** INTERNAL ISSUES WITH YOUR COMPANY'S GERRIT SETUP, ETC.*****
*****                                                       *****
*****   THOSE ISSUES BELONG IN DIFFERENT ISSUE TRACKERS     *****
*****                                                       *****
*****************************************************************

Affected Version: 2.11.1-797-g15bb782

What steps will reproduce the problem?

Using the python requests library's Session class, make more than one request to the REST API using authentication.

What is the expected output? What do you see instead?

The first requests returns HTTP 200.  Subsequent requests return 400.

When requesting without authentication, the subsequent requests return 200.

Multiple authenticated requests work as expected on internal servers at Sony Mobile, and on my local dev server.

Please provide any additional information below.

I'm not sure if this is a bug in the requests library, or it's because the gerrit-review server is expecting something that I have not properly included in the request.

Simple script to reproduce it below.  It assumes the credentials for the server are in ~/.netrc

$ python
Python 2.7.6 (default, Sep  9 2014, 15:04:36)
[GCC 4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.39)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> url = "https://gerrit-review.googlesource.com"
>>> auth = requests.utils.get_netrc_auth(url)
>>> auth
('xxxxx', 'xxxxxx')
>>> s = requests.session()
>>> r = s.get(url=url+"/a/changes/", auth=auth)
>>> r
<Response [200]>
>>> r = s.get(url=url+"/a/changes/", auth=auth)
>>> r
<Response [400]>

See also the discussion on Github:

https://github.com/kennethreitz/requests/issues/2409#issuecomment-115309408
Jun 28, 2015
Project Member #1 david.pu...@sonymobile.com
Further debugging shows that the subsequent requests only fail when a cookie is sent back:

https://github.com/kennethreitz/requests/issues/2409#issuecomment-116289354