Ticket #27468: 27468-sessions.diff

File 27468-sessions.diff, 2.4 KB (added by Claude Paroz, 4 years ago)

WIP patch for user sessions

  • django/contrib/auth/__init__.py 

    diff --git a/django/contrib/auth/__init__.py b/django/contrib/auth/__init__.py
index 09db690b5c..c2409d1690 100644
    a b def login(request, user, backend=None):  
    9191    the anonymous session is retained when the user logs in.
    9292    """
    9393    session_auth_hash = ''
     94    session_auth_hash_legacy = ''
    9495    if user is None:
    9596        user = request.user
    9697    if hasattr(user, 'get_session_auth_hash'):
    9798        session_auth_hash = user.get_session_auth_hash()
     99    if hasattr(user, '_get_session_auth_hash_legacy'):
     100        session_auth_hash_legacy = user._get_session_auth_hash_legacy()
    98101
    99102    if SESSION_KEY in request.session:
    100         if _get_user_session_key(request) != user.pk or (
     103        if _get_user_session_key(request) != user.pk or ((
    101104                session_auth_hash and
    102                 not constant_time_compare(request.session.get(HASH_SESSION_KEY, ''), session_auth_hash)):
     105                not constant_time_compare(request.session.get(HASH_SESSION_KEY, ''), session_auth_hash)) and (
     106                session_auth_hash_legacy and
     107                not constant_time_compare(request.session.get(HASH_SESSION_KEY, ''), session_auth_hash_legacy))):
    103108            # To avoid reusing another user's session, create a new, empty
    104109            # session if the existing session corresponds to a different
    105110            # authenticated user.

  • django/contrib/auth/base_user.py 

    diff --git a/django/contrib/auth/base_user.py b/django/contrib/auth/base_user.py
index f39c12a350..13fa59785c 100644
    a b class AbstractBaseUser(models.Model):  
    120120        """
    121121        return is_password_usable(self.password)
    122122
     123    def _get_session_auth_hash_legacy(self):
     124        """
     125        Return an HMAC of the password field.
     126        """
     127        key_salt = "django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash"
     128        return salted_hmac(key_salt, self.password, algorithm='sha1').hexdigest()
     129
    123130    def get_session_auth_hash(self):
    124131        """
    125132        Return an HMAC of the password field.
    126133        """
    127134        key_salt = "django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash"
    128         return salted_hmac(key_salt, self.password).hexdigest()
     135        return salted_hmac(key_salt, self.password, algorithm='sha256').hexdigest()
    129136
    130137    @classmethod
    131138    def get_email_field_name(cls):
Back to Top