Fixed #27009 -- Made update_session_auth_hash() rotate the session key.

2016-08-15 19:29:12 -04:00 · 2016-08-15 19:29:12 -04:00 · 7549eb0004
parent 937d752d3d
commit 7549eb0004
4 changed files with 16 additions and 5 deletions
--- a/django/contrib/auth/init.py
+++ b/django/contrib/auth/init.py
@ -215,6 +215,7 @@ def update_session_auth_hash(request, user):
    appropriately to prevent a password change from logging out the session
    from which the password was changed.
    """
+    request.session.cycle_key()
    if hasattr(user, 'get_session_auth_hash') and request.user == user:
        request.session[HASH_SESSION_KEY] = user.get_session_auth_hash()

--- a/docs/releases/1.11.txt
+++ b/docs/releases/1.11.txt
@ -84,6 +84,9 @@ Minor features
  :class:`~django.contrib.auth.views.PasswordResetConfirmView` allows
  automatically logging in a user after a successful password reset.

+* :func:`~django.contrib.auth.update_session_auth_hash` now rotates the session
+  key to allow a password change to invalidate stolen session cookies.
+
 :mod:`django.contrib.contenttypes`
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- a/docs/topics/auth/default.txt
+++ b/docs/topics/auth/default.txt
@ -841,16 +841,16 @@ The default password change views included with Django,
 the session with the new password hash so that a user changing their own
 password won't log themselves out. If you have a custom password change view
 and wish to have similar behavior, use the :func:`update_session_auth_hash`
-function. In this case, however, if a user also wants to invalidate the session
-from which they're changing their password (for example, if they believe the
-session cookie on their machine was stolen), then they also need to log out
-that session.
+function.

 .. function:: update_session_auth_hash(request, user)

    This function takes the current request and the updated user object from
    which the new session hash will be derived and updates the session hash
-    appropriately. Example usage::
+    appropriately. It also rotates the session key so that a stolen session
+    cookie will be invalidated.
+
+    Example usage::

        from django.contrib.auth import update_session_auth_hash

@ -863,6 +863,10 @@ that session.
            else:
                ...

+    .. versionchanged:: 1.11
+
+        Rotating of the session key was added.
+
 .. note::

    Since
--- a/tests/auth_tests/test_views.py
+++ b/tests/auth_tests/test_views.py
@ -479,6 +479,7 @@ class SessionAuthenticationTests(AuthViewsTestCase):
        session auth hash after a password change so the session isn't logged out.
        """
        self.login()
+        original_session_key = self.client.session.session_key
        response = self.client.post('/password_change/', {
            'old_password': 'password',
            'new_password1': 'password1',
@ -486,6 +487,8 @@ class SessionAuthenticationTests(AuthViewsTestCase):
        })
        # if the hash isn't updated, retrieving the redirection page will fail.
        self.assertRedirects(response, '/password_change/done/')
+        # The session key is rotated.
+        self.assertNotEqual(original_session_key, self.client.session.session_key)


 class LoginTest(AuthViewsTestCase):