Commit 97a7dab

committed

Fixed #6941 -- When logging a user out, or when logging in with an existing

session and a different user id to the current session owner, flush the session data to avoid leakage. Logging in and moving from an anonymous user to a validated user still keeps existing session data. Backwards incompatible if you were assuming sessions persisted past logout. git-svn-id: http://code.djangoproject.com/svn/django/trunk@8343 bcc190cf-cafb-0310-a4f2-bffc1f526a37

1 parent 5e8efa9 commit 97a7dabCopy full SHA for 97a7dab

File tree

3 files changed

+21

-11

lines changed

django/contrib/auth
- __init__.py
docs
- authentication.txt
- sessions.txt

3 files changed

+21

-11

lines changed

`‎django/contrib/auth/init.py‎`

Lines changed: 7 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -53,23 +53,21 @@ def login(request, user):`
`53`	`53`	`# TODO: It would be nice to support different login methods, like signed cookies.`
`54`	`54`	`user.last_login = datetime.datetime.now()`
`55`	`55`	`user.save()`
	`56`	`+ if request.session.get('SESSION_KEY', user.id) != user.id:`
	`57`	`+ # To avoid reusing another user's session, create a new, empty session`
	`58`	`+ # if the existing session corresponds to a different authenticated user.`
	`59`	`+ request.session.flush()`
`56`	`60`	`request.session[SESSION_KEY] = user.id`
`57`	`61`	`request.session[BACKEND_SESSION_KEY] = user.backend`
`58`	`62`	`if hasattr(request, 'user'):`
`59`	`63`	`request.user = user`
`60`	`64`
`61`	`65`	`def logout(request):`
`62`	`66`	`"""`
`63`		`- Remove the authenticated user's ID from the request.`
	`67`	`+ Removes the authenticated user's ID from the request and flushes their`
	`68`	`+ session data.`
`64`	`69`	`"""`
`65`		`- try:`
`66`		`- del request.session[SESSION_KEY]`
`67`		`- except KeyError:`
`68`		`- pass`
`69`		`- try:`
`70`		`- del request.session[BACKEND_SESSION_KEY]`
`71`		`- except KeyError:`
`72`		`- pass`
	`70`	`+ request.session.flush()`
`73`	`71`	`if hasattr(request, 'user'):`
`74`	`72`	`from django.contrib.auth.models import AnonymousUser`
`75`	`73`	`request.user = AnonymousUser()`

`‎docs/authentication.txt‎`

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
@@ -426,6 +426,13 @@ use ``django.contrib.auth.logout()`` within your view. It takes an
`426`	`426`
`427`	`427`	Note that ``logout()`` doesn't throw any errors if the user wasn't logged in.
`428`	`428`
	`429`	+New in Django development version: When you call ``logout()``, the session
	`430`	`+data for the current request is completely cleaned out. All existing data is`
	`431`	`+removed. This is to prevent another person from using the same web browser to`
	`432`	`+log in and have access to the previous user's session data. If you want to put`
	`433`	`+anything into the session that will be available to the user immediately after`
	`434`	+logging out, do that after calling ``django.contrib.auth.logout()``.
	`435`	`+`
`429`	`436`	`Limiting access to logged-in users`
`430`	`437`	`----------------------------------`
`431`	`438`

`‎docs/sessions.txt‎`

Lines changed: 7 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -117,8 +117,8 @@ It also has these methods:`
`117`	`117`	`Delete the current session data from the database and regenerate the`
`118`	`118`	`session key value that is sent back to the user in the cookie. This is`
`119`	`119`	`used if you want to ensure that the previous session data can't be`
`120`		`- accessed again from the user's browser (for example, the standard`
`121`		- ``logout()`` method calls it).
	`120`	`+ accessed again from the user's browser (for example, the`
	`121`	+ ``django.contrib.auth.logout()`` method calls it).
`122`	`122`
`123`	`123`	* ``set_test_cookie()``
`124`	`124`
`@@ -230,6 +230,11 @@ This simplistic view logs in a "member" of the site::`
`230`	`230`	`pass`
`231`	`231`	`return HttpResponse("You're logged out.")`
`232`	`232`
	`233`	+The standard ``django.contrib.auth.logout()`` function actually does a bit
	`234`	`+more than this to prevent inadvertent data leakage. It calls`
	`235`	+``request.session.flush()``. We are using this example as a demonstration of
	`236`	+how to work with session objects, not as a full ``logout()`` implementation.
	`237`	`+`
`233`	`238`	`Setting test cookies`
`234`	`239`	`====================`
`235`	`240`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit 97a7dab

File tree

3 files changed

3 files changed

`‎django/contrib/auth/init.py‎`

`‎docs/authentication.txt‎`

`‎docs/sessions.txt‎`

0 commit comments

Uh oh!

File tree

3 files changed

3 files changed

‎django/contrib/auth/__init__.py‎

‎docs/authentication.txt‎

‎docs/sessions.txt‎

0 commit comments

`‎django/contrib/auth/init.py‎`

`‎docs/authentication.txt‎`

`‎docs/sessions.txt‎`