Opened 8 years ago

Closed 8 years ago

Last modified 5 years ago

#10265 closed (fixed)

_make_token_with_timestamp inconsistent based on User.last_login

Reported by: felix Owned by: nobody
Component: Contrib apps Version: 1.0
Severity: Keywords: auth token login
Cc: crucialfelix@… Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description (last modified by Alex Gaynor)

default token generator makes inconsistent tokens depending on if the user has been loaded from the db or has just been created during this response

the difference is that a User just created has a last_login with microseconds set, but when reloaded from the db it does not and the token generator uses unicode(user.last_login) in the hash

>>> from django.contrib.auth.models import User
>>> u1 = User.objects.create_user("username","user@email.com","password")
>>> u1.last_login
datetime.datetime(2009, 2, 14, 16, 5, 3, 638275)
>>> unicode(u1.last_login)
u'2009-02-14 16:05:03.638275'

>>> u2 = User.objects.all()[0]
>>> u2
<User: crucial>
>>> u2.last_login
datetime.datetime(2009, 2, 14, 15, 47, 20)
>>> unicode(u2.last_login)
u'2009-02-14 15:47:20'

(as an aside, I don't think that a user should be created with a last login of now.
a new user has never logged in.)

# user just made, generate token:
making token 3 2009-02-14 16:24:33.632380 2966
2ae-c3c68b86d5148e768353

# user comes to site, token fails equality test in check_token
making token 3 2009-02-14 16:24:33 2966
2ae-e8d746b5603f6fae0fd5

the fix is to explicitly format user.last_login without microsecond

this fix should not break any currently generated tokens out there in email land

Attachments (1)

token.patch (1.3 KB) - added by crucialfelix@… 8 years ago.

Download all attachments as: .zip

Change History (5)

Changed 8 years ago by crucialfelix@…

Attachment: token.patch added

comment:1 Changed 8 years ago by Alex Gaynor

Description: modified (diff)
Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset

Please use the preview button :)

comment:2 Changed 8 years ago by Jacob

milestone: 1.1
Triage Stage: UnreviewedAccepted

comment:3 Changed 8 years ago by Jacob

Resolution: fixed
Status: newclosed

(In [10341]) Fixed #10265: fixed a bug when generating a password reset token for a user created on the same request. Thanks, crucialfelix.

comment:4 Changed 5 years ago by Jacob

milestone: 1.1

Milestone 1.1 deleted

Note: See TracTickets for help on using tickets.
Back to Top