Test cookie deletion in admin crashes with a KeyError when a previously authenticated user logs in to the admin
|Reported by:||Rajesh Dhawan||Owned by:||nobody|
|Severity:||Keywords:||Admin auth cookies|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Traceback: File "/home/rajesh/Development/default-django/django/core/handlers/base.py" in get_response 86. response = callback(request, *callback_args, **callback_kwargs) File "/home/rajesh/Development/default-django/django/contrib/admin/sites.py" in root 156. return self.login(request) File "/home/rajesh/Development/django-svn/django/views/decorators/cache.py" in _wrapped_view_func 44. response = view_func(request, *args, **kwargs) File "/home/rajesh/Development/default-django/django/contrib/admin/sites.py" in login 280. request.session.delete_test_cookie() File "/home/rajesh/Development/default-django/django/contrib/sessions/backends/base.py" in delete_test_cookie 84. del self[self.TEST_COOKIE_NAME] File "/home/rajesh/Development/default-django/django/contrib/sessions/backends/base.py" in __delitem__ 53. del self._session[key] Exception Type: KeyError at /admin/ Exception Value: 'testcookie'
Steps to reproduce:
- Log in to the site as a regular (non-staff) user.
- Without logging out, log in to the admin area as a staff user.
- KeyError is raised by the application.
With reference to django/trunk/django/contrib/admin/sites.py, the login call on line 274 has the side effect of flushing/clearing out the session of the previously logged in user (as of ). This empty session causes the
delete_test_cookie call on line 277 to fail with a KeyError.
I think that the test cookie should only be deleted after checking
request.session.test_cookie_worked(). Note that there is
test_cookie_worked() call at line 244 but that does not account for the above case where the session is subsequently going to be cleared out.
Change History (5)
comment:1 Changed 8 years ago by
|Patch needs improvement:||unset|