Already logged-in user remains logged in when RemoteUser authentication of new user fails
|Reported by:||Owned by:||nobody|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||yes||Patch needs improvement:||no|
Currently, when remoteUserBackend fails to authenticate the
username passed in the header, and create_unknown_user==False,
RemoteUserMiddleware does nothing. Thus, if a different user
was logged in, that user will remain logged in despite the failed
attempt to log in a new user.
This is a security issue.
https://github.com/django/django/pull/2936 fixes this problem
by logging out the request if the user returned
by the middleware is None (a failed login attempt).