From 31cb25adecba930bdeee4556709f5a1c42d88fd6 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Mon, 11 May 2015 09:58:43 -0400 Subject: [PATCH] [1.8.x] Fixed incorrect session.flush() in cached_db session backend. This is a security fix; disclosure to follow shortly. Thanks Sam Cooke for the report and draft patch. --- django/contrib/sessions/backends/cached_db.py | 2 +- docs/releases/1.8.2.txt | 18 +++++++++++++++++- tests/sessions_tests/tests.py | 1 + 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/django/contrib/sessions/backends/cached_db.py b/django/contrib/sessions/backends/cached_db.py index 03e31d8d26..0ba12f553f 100644 --- a/django/contrib/sessions/backends/cached_db.py +++ b/django/contrib/sessions/backends/cached_db.py @@ -79,7 +79,7 @@ class SessionStore(DBStore): """ self.clear() self.delete(self.session_key) - self._session_key = '' + self._session_key = None # At bottom to avoid circular import from django.contrib.sessions.models import Session # isort:skip diff --git a/docs/releases/1.8.2.txt b/docs/releases/1.8.2.txt index 635bc96e92..2351664203 100644 --- a/docs/releases/1.8.2.txt +++ b/docs/releases/1.8.2.txt @@ -4,7 +4,23 @@ Django 1.8.2 release notes *Under development* -Django 1.8.2 fixes several bugs in 1.8.1. +Django 1.8.2 fixes a security issue and several bugs in 1.8.1. + +Fixed session flushing in the ``cached_db`` backend +=================================================== + +A change to ``session.flush()`` in the ``cached_db`` session backend in Django +1.8 mistakenly sets the session key to an empty string rather than ``None``. An +empty string is treated as a valid session key and the session cookie is set +accordingly. Any users with an empty string in their session cookie will use +the same session store. ``session.flush()`` is called by +``django.contrib.auth.logout()`` and, more seriously, by +``django.contrib.auth.login()`` when a user switches accounts. If a user is +logged in and logs in again to a different account (without logging out) the +session is flushed to avoid reuse. After the session is flushed (and its +session key becomes ``''``) the account details are set on the session and the +session is saved. Any users with an empty string in their session cookie will +now be logged into that account. Bugfixes ======== diff --git a/tests/sessions_tests/tests.py b/tests/sessions_tests/tests.py index d9e6817976..78f7a07155 100644 --- a/tests/sessions_tests/tests.py +++ b/tests/sessions_tests/tests.py @@ -162,6 +162,7 @@ class SessionTestsMixin(object): self.session.flush() self.assertFalse(self.session.exists(prev_key)) self.assertNotEqual(self.session.session_key, prev_key) + self.assertIsNone(self.session.session_key) self.assertTrue(self.session.modified) self.assertTrue(self.session.accessed)