Opened 10 years ago
Last modified 7 years ago
#21608 closed Bug
Logged out sessions are resurrected by concurrent requests — at Initial Version
| Reported by: | Jonas Borgström | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.sessions | Version: | 1.9 |
| Severity: | Normal | Keywords: | |
| Cc: | m17.admin@…, tlt@… | Triage Stage: | Ready for checkin |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
- User logs in
- User loads a slow page in separate tab or as an ajax request
- User logs out before request in step 2 completes. This will delete the session from the db
Expected behavior
User/session stays logged out since the user explicitly logged out and the session row was delete in step 3.
Actual behavior
The previously deleted session is re-inserted into the database when the request from step 2 completes. So the previously logged out user is now logged in again.
Note:
See TracTickets
for help on using tickets.
Proposed fix (against django 1.4)