id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
17869	With RemoteUserMiddleware, users keep being logged in after web server stops sending REMOTE_USER headers	Chris Lamb	Preston Holmes	"(Forwarded from http://bugs.debian.org/663230)

This was reproduced on 1.2.3-3+squeeze2 but the RemoteUserMiddleware code seems to be the same as the 1.3.1-4 in my development machine.

RemoteUserMiddleware relies on a REMOTE_USER variable to be set by the web server with the current user name, so far so good. However it does not log a person out if the variable disappears during the same browser session.

That may never happen with the usual browsers and auth, but it does happen for other setups like DACS that have a logout feature button.

The error is in this bit of django.contrib.auth.middleware.RemoteUserMiddleware:

{{{
        try:
            username = request.META[self.header]
        except KeyError:
            # If specified header doesn't exist then return (leaving
            # request.user set to AnonymousUser by the
            # AuthenticationMiddleware).
            return
}}}

The except side assumes that if there is no request.META[self.header],
then the user is the anonymous one.

Since I found that it is not always the case, I fixed it adding a simple
""auth.logout(request)"" before returning:

{{{
        try:
            username = request.META[self.header]
        except KeyError:
            # If specified header doesn't exist then return (leaving
            # request.user set to AnonymousUser by the
            # AuthenticationMiddleware).

	    # Make sure that if the server did not send any headers,
	    # then we are actually logged out
            auth.logout(request)
            return
}}}
"	Bug	closed	contrib.auth	dev	Release blocker	fixed		enrico@… krzysiumed@…	Accepted	1	0	0	0	1	0