Code

Ticket #6941: clear_session_on_logout_and_login.diff

File clear_session_on_logout_and_login.diff, 1.3 KB (added by mrts, 6 years ago)

A simpler patch that depends on #7515

Line 
1Index: django/contrib/auth/__init__.py
2===================================================================
3--- django/contrib/auth/__init__.py     (revision 7724)
4+++ django/contrib/auth/__init__.py     (working copy)
5@@ -53,14 +53,18 @@
6     # TODO: It would be nice to support different login methods, like signed cookies.
7     user.last_login = datetime.datetime.now()
8     user.save()
9+    if request.session.get(SESSION_KEY, user.id) != user.id:
10+        # a different user was logged in, his data has to be cleared
11+        request.session.clear()
12     request.session[SESSION_KEY] = user.id
13     request.session[BACKEND_SESSION_KEY] = user.backend
14     if hasattr(request, 'user'):
15         request.user = user
16 
17-def logout(request):
18+def logout(request, clear_session=True):
19     """
20-    Remove the authenticated user's ID from the request.
21+    Remove the authenticated user's ID from the request and optionally clear
22+    the session.
23     """
24     try:
25         del request.session[SESSION_KEY]
26@@ -70,6 +74,8 @@
27         del request.session[BACKEND_SESSION_KEY]
28     except KeyError:
29         pass
30+    if clear_session:
31+        request.session.clear()
32     if hasattr(request, 'user'):
33         from django.contrib.auth.models import AnonymousUser
34         request.user = AnonymousUser()