[New-bugs-announce] [issue33620] requests.Session doesn't properly handle closed keep-alive sessions

[Jonathan Lynch]

New submission from Jonathan Lynch <jlynch at tenable.com>:

When a server reaps a keep-alive session it sends a FIN packet to the client. Normally, requests handles this fine and rebuilds the session on the next request. However, there is an edge case involving network latency that is not properly handled:

If python sends a request at roughly the same time as the server closes the session, then the server will send a RST (as the session is closed). Python receives this RST on what it thought was a valid session and throws an error:

requests.exceptions.ConnectionError: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response',))

The reason I consider this a bug is because python received the FIN packet before it received the RST. As a result, it shouldn't be surprised when the connection is subsequently aborted. It is an edge case, but the client has enough information available to it that it could have handled it correctly.

The workaround is to set max_retries on the Session via an HTTPAdaptor, but I believe the correct behavior when the FIN is received is to rebuild the session and re-send any requests that were in-flight (rather than throwing an error). Requests correctly handles the FIN packet if there are no in-flight requests, but if there are in-flight requests it ignores it and instead throws an error.

----------
components: Library (Lib)
messages: 317425
nosy: Jonathan Lynch
priority: normal
severity: normal
status: open
title: requests.Session doesn't properly handle closed keep-alive sessions
type: behavior
versions: Python 3.6

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue33620>
_______________________________________