#23066 closed Bug (fixed)
Already logged-in user remains logged in when RemoteUser authentication of new user fails
| Reported by: | Owned by: | nobody | |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Normal | Keywords: | remoteUserBackend RemoteUserMiddleware |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | yes | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Currently, when remoteUserBackend fails to authenticate the
username passed in the header, and create_unknown_user==False,
RemoteUserMiddleware does nothing. Thus, if a different user
was logged in, that user will remain logged in despite the failed
attempt to log in a new user.
This is a security issue.
https://github.com/django/django/pull/2936 fixes this problem
by logging out the request if the user returned
by the middleware is None (a failed login attempt).
Change History (7)
comment:1 Changed 9 years ago by
| Easy pickings: | unset |
|---|---|
| Has patch: | set |
| Needs tests: | set |
comment:2 Changed 9 years ago by
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:3 Changed 9 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note: See
TracTickets for help on using
tickets.
If this is a security issue that can be exploited by an attacker, please report the details privately. If this is simply security hardening, then it's fine to post more details here.
As far as I can tell, Django's normal authentication doesn't implement the protocol of logging out an existing user after a failed login attempt. Could you elaborate (to the security@ alias if necessary) on why
RemoteUserMiddlewareneeds to do so? Thanks.(to be merged, the patch would also need a test)