Already logged-in user remains logged in when RemoteUser authentication of new user fails
|Reported by:||david.greisen@…||Owned by:||nobody|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||yes||Patch needs improvement:||no|
Currently, when remoteUserBackend fails to authenticate the
username passed in the header, and create_unknown_user==False,
RemoteUserMiddleware does nothing. Thus, if a different user
was logged in, that user will remain logged in despite the failed
attempt to log in a new user.
This is a security issue.
https://github.com/django/django/pull/2936 fixes this problem
by logging out the request if the user returned
by the middleware is None (a failed login attempt).
Change History (7)
comment:1 Changed 10 months ago by timo
- Easy pickings unset
- Has patch set
- Needs documentation unset
- Needs tests set
- Patch needs improvement unset
comment:3 Changed 9 months ago by Tim Graham <timograham@…>
- Resolution set to fixed
- Status changed from new to closed