Opened 7 years ago
Closed 7 years ago
#27706 closed Uncategorized (invalid)
Session key is not set when trying to log in, when another user's session cookie is sent with the login request
| Reported by: | Utku Gültopu | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | 1.10 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Code in views.py:
from django.contrib import auth
from django.contrib.auth.models import User
from django.http import HttpResponse
import json
def login(request):
username = request.POST['username']
password = request.POST['password']
user = auth.authenticate(username=username, password=password)
if user is not None:
try:
auth.login(request, user)
session_key = request.session.session_key
if session_key is not None:
return HttpResponse(json.dumps({'status': 'Success',
'sessionid': session_key}))
else:
return HttpResponse(json.dumps({'status': 'Empty session key'}))
except Exception as e:
return HttpResponse(json.dumps({'status': 'Cannot log in'}))
else:
return HttpResponse(json.dumps({'status': 'Cannot authenticate'}))
Steps to reproduce
curl http://127.0.0.1:8000/login/ -d username=foo -d password=passfoo
Response is:
{"status": "Success", "sessionid": "b65e765b2c4546da8825d5764c8ef126"}
curl http://127.0.0.1:8000/login/ -d username=bar -d password=passbar -b sessionid=b65e765b2c4546da8825d5764c8ef126
Response is:
{"status": "Empty session key"}
Is this expected behavior?
Regards
Note:
See TracTickets
for help on using tickets.
As far as I see, this is the behavior as of 393c0e24223c701edeb8ce7dc9d0f852f0c081ad. If you feel it should be changed, feel free to explain in more detail. I think you could adapt your little snippet to account for it. Otherwise, please ask "is it intended behavior" (usage) questions on our support channels. Thanks!