Django

Code

Changeset 8459

Show
Ignore:
Timestamp:
08/21/08 08:54:53 (11 months ago)
Author:
mtredinnick
Message:

When logging in, change the session key whilst preserving any existing
sesssion. This means the user will see their session preserved across a login
boundary, but somebody snooping the anonymous session key won't be able to view
the authenticated session data.

This is the final piece of the session key handling changes.

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • django/trunk/django/contrib/auth/__init__.py

    r8343 r8459  
    5454    user.last_login = datetime.datetime.now() 
    5555    user.save() 
    56     if request.session.get('SESSION_KEY', user.id) != user.id: 
    57         # To avoid reusing another user's session, create a new, empty session 
    58         # if the existing session corresponds to a different authenticated user. 
    59         request.session.flush() 
     56 
     57    if SESSION_KEY in request.session: 
     58        if request.session[SESSION_KEY] != user.id: 
     59            # To avoid reusing another user's session, create a new, empty 
     60            # session if the existing session corresponds to a different 
     61            # authenticated user. 
     62            request.session.flush() 
     63    else: 
     64        request.session.cycle_key() 
    6065    request.session[SESSION_KEY] = user.id 
    6166    request.session[BACKEND_SESSION_KEY] = user.backend 

  • django/trunk/django/contrib/sessions/backends/base.py

    r8381 r8459  
    240240        self.create() 
    241241 
     242    def cycle_key(self): 
     243        """ 
     244        Creates a new session key, whilst retaining the current session data. 
     245        """ 
     246        data = self._session_cache 
     247        key = self.session_key 
     248        self.create() 
     249        self._session_cache = data 
     250        self.delete(key) 
     251 
    242252    # Methods that child classes must implement. 
    243253 

  • django/trunk/django/contrib/sessions/tests.py

    r8410 r8459  
    3838>>> db_session.modified, db_session.accessed 
    3939(True, True) 
     40>>> db_session['a'], db_session['b'] = 'c', 'd' 
     41>>> db_session.save() 
     42>>> prev_key = db_session.session_key 
     43>>> prev_data = db_session.items() 
     44>>> db_session.cycle_key() 
     45>>> db_session.session_key == prev_key 
     46False 
     47>>> db_session.items() == prev_data 
     48True 
    4049 
    4150# Submitting an invalid session key (either by guessing, or if the db has 
     
    7685>>> file_session.modified, file_session.accessed 
    7786(True, True) 
     87>>> file_session['a'], file_session['b'] = 'c', 'd' 
     88>>> file_session.save() 
     89>>> prev_key = file_session.session_key 
     90>>> prev_data = file_session.items() 
     91>>> file_session.cycle_key() 
     92>>> file_session.session_key == prev_key 
     93False 
     94>>> file_session.items() == prev_data 
     95True 
     96 
    7897>>> Session.objects.filter(pk=file_session.session_key).delete() 
    7998>>> file_session = FileSession(file_session.session_key) 
     
    113132>>> cache_session.modified, cache_session.accessed 
    114133(True, True) 
     134>>> cache_session['a'], cache_session['b'] = 'c', 'd' 
     135>>> cache_session.save() 
     136>>> prev_key = cache_session.session_key 
     137>>> prev_data = cache_session.items() 
     138>>> cache_session.cycle_key() 
     139>>> cache_session.session_key == prev_key 
     140False 
     141>>> cache_session.items() == prev_data 
     142True 
     143 
    115144>>> Session.objects.filter(pk=cache_session.session_key).delete() 
    116145>>> cache_session = CacheSession(cache_session.session_key)