Ticket #6941: 6941_notests.diff

File 6941_notests.diff, 1.7 KB (added by axiak, 7 years ago)

An initial patch. No tests yet.

  • django/contrib/auth/__init__.py

     
    4343        user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
    4444        return user
    4545
     46def clear_session(request):
     47    """
     48    Clear the session out.
     49    """
     50    from django.conf import settings
     51    from django.contrib.sessions.middleware import SessionMiddleware
     52
     53    # Uses the cookies to remove memory.
     54    request.COOKIES[settings.SESSION_COOKIE_NAME] = None
     55    SessionMiddleware().process_request(request)
     56
    4657def login(request, user):
    4758    """
    4859    Persist a user id and a backend in the request. This way a user doesn't
     
    5364    # TODO: It would be nice to support different login methods, like signed cookies.
    5465    user.last_login = datetime.datetime.now()
    5566    user.save()
     67    if request.session.get(SESSION_KEY, user.id) != user.id:
     68        # A different user is logged in; we need to destroy the session.
     69        clear_session(request)
    5670    request.session[SESSION_KEY] = user.id
    5771    request.session[BACKEND_SESSION_KEY] = user.backend
    5872    if hasattr(request, 'user'):
     
    6276    """
    6377    Remove the authenticated user's ID from the request.
    6478    """
    65     try:
    66         del request.session[SESSION_KEY]
    67     except KeyError:
    68         pass
    69     try:
    70         del request.session[BACKEND_SESSION_KEY]
    71     except KeyError:
    72         pass
     79    # Since the user is logging out, just clear their session:
     80    clear_session(request)
    7381    if hasattr(request, 'user'):
    7482        from django.contrib.auth.models import AnonymousUser
    7583        request.user = AnonymousUser()
Back to Top