Django

Code

Changeset 8343

Show
Ignore:
Timestamp:
08/13/08 22:58:00 (11 months ago)
Author:
mtredinnick
Message:

Fixed #6941 -- When logging a user out, or when logging in with an existing
session and a different user id to the current session owner, flush the session
data to avoid leakage. Logging in and moving from an anonymous user to a
validated user still keeps existing session data.

Backwards incompatible if you were assuming sessions persisted past logout.

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • django/trunk/django/contrib/auth/__init__.py

    r5678 r8343  
    5454    user.last_login = datetime.datetime.now() 
    5555    user.save() 
     56    if request.session.get('SESSION_KEY', user.id) != user.id: 
     57        # To avoid reusing another user's session, create a new, empty session 
     58        # if the existing session corresponds to a different authenticated user. 
     59        request.session.flush() 
    5660    request.session[SESSION_KEY] = user.id 
    5761    request.session[BACKEND_SESSION_KEY] = user.backend 
     
    6165def logout(request): 
    6266    """ 
    63     Remove the authenticated user's ID from the request. 
     67    Removes the authenticated user's ID from the request and flushes their 
     68    session data. 
    6469    """ 
    65     try: 
    66         del request.session[SESSION_KEY] 
    67     except KeyError: 
    68         pass 
    69     try: 
    70         del request.session[BACKEND_SESSION_KEY] 
    71     except KeyError: 
    72         pass 
     70    request.session.flush() 
    7371    if hasattr(request, 'user'): 
    7472        from django.contrib.auth.models import AnonymousUser 

  • django/trunk/docs/authentication.txt

    r8043 r8343  
    426426 
    427427Note that ``logout()`` doesn't throw any errors if the user wasn't logged in. 
     428 
     429**New in Django development version:** When you call ``logout()``, the session 
     430data for the current request is completely cleaned out. All existing data is 
     431removed. This is to prevent another person from using the same web browser to 
     432log in and have access to the previous user's session data. If you want to put 
     433anything into the session that will be available to the user immediately after 
     434logging out, do that *after* calling ``django.contrib.auth.logout()``. 
    428435 
    429436Limiting access to logged-in users 

  • django/trunk/docs/sessions.txt

    r8342 r8343  
    118118      session key value that is sent back to the user in the cookie. This is 
    119119      used if you want to ensure that the previous session data can't be 
    120       accessed again from the user's browser (for example, the standard 
    121       ``logout()`` method calls it). 
     120      accessed again from the user's browser (for example, the 
     121      ``django.contrib.auth.logout()`` method calls it). 
    122122 
    123123    * ``set_test_cookie()`` 
     
    230230            pass 
    231231        return HttpResponse("You're logged out.") 
     232 
     233The standard ``django.contrib.auth.logout()`` function actually does a bit 
     234more than this to prevent inadvertent data leakage. It calls 
     235``request.session.flush()``. We are using this example as a demonstration of 
     236how to work with session objects, not as a full ``logout()`` implementation. 
    232237 
    233238Setting test cookies