When logging in, change the session key whilst preserving any existing
sesssion. This means the user will see their session preserved across a login boundary, but somebody snooping the anonymous session key won't be able to view the authenticated session data. This is the final piece of the session key handling changes. git-svn-id: http://code.djangoproject.com/svn/django/trunk@8459 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
2f7d624391
commit
c8c159cbba
|
@ -53,10 +53,15 @@ def login(request, user):
|
||||||
# TODO: It would be nice to support different login methods, like signed cookies.
|
# TODO: It would be nice to support different login methods, like signed cookies.
|
||||||
user.last_login = datetime.datetime.now()
|
user.last_login = datetime.datetime.now()
|
||||||
user.save()
|
user.save()
|
||||||
if request.session.get('SESSION_KEY', user.id) != user.id:
|
|
||||||
# To avoid reusing another user's session, create a new, empty session
|
if SESSION_KEY in request.session:
|
||||||
# if the existing session corresponds to a different authenticated user.
|
if request.session[SESSION_KEY] != user.id:
|
||||||
|
# To avoid reusing another user's session, create a new, empty
|
||||||
|
# session if the existing session corresponds to a different
|
||||||
|
# authenticated user.
|
||||||
request.session.flush()
|
request.session.flush()
|
||||||
|
else:
|
||||||
|
request.session.cycle_key()
|
||||||
request.session[SESSION_KEY] = user.id
|
request.session[SESSION_KEY] = user.id
|
||||||
request.session[BACKEND_SESSION_KEY] = user.backend
|
request.session[BACKEND_SESSION_KEY] = user.backend
|
||||||
if hasattr(request, 'user'):
|
if hasattr(request, 'user'):
|
||||||
|
|
|
@ -239,6 +239,16 @@ class SessionBase(object):
|
||||||
self.delete()
|
self.delete()
|
||||||
self.create()
|
self.create()
|
||||||
|
|
||||||
|
def cycle_key(self):
|
||||||
|
"""
|
||||||
|
Creates a new session key, whilst retaining the current session data.
|
||||||
|
"""
|
||||||
|
data = self._session_cache
|
||||||
|
key = self.session_key
|
||||||
|
self.create()
|
||||||
|
self._session_cache = data
|
||||||
|
self.delete(key)
|
||||||
|
|
||||||
# Methods that child classes must implement.
|
# Methods that child classes must implement.
|
||||||
|
|
||||||
def exists(self, session_key):
|
def exists(self, session_key):
|
||||||
|
|
|
@ -37,6 +37,15 @@ False
|
||||||
False
|
False
|
||||||
>>> db_session.modified, db_session.accessed
|
>>> db_session.modified, db_session.accessed
|
||||||
(True, True)
|
(True, True)
|
||||||
|
>>> db_session['a'], db_session['b'] = 'c', 'd'
|
||||||
|
>>> db_session.save()
|
||||||
|
>>> prev_key = db_session.session_key
|
||||||
|
>>> prev_data = db_session.items()
|
||||||
|
>>> db_session.cycle_key()
|
||||||
|
>>> db_session.session_key == prev_key
|
||||||
|
False
|
||||||
|
>>> db_session.items() == prev_data
|
||||||
|
True
|
||||||
|
|
||||||
# Submitting an invalid session key (either by guessing, or if the db has
|
# Submitting an invalid session key (either by guessing, or if the db has
|
||||||
# removed the key) results in a new key being generated.
|
# removed the key) results in a new key being generated.
|
||||||
|
@ -75,6 +84,16 @@ False
|
||||||
False
|
False
|
||||||
>>> file_session.modified, file_session.accessed
|
>>> file_session.modified, file_session.accessed
|
||||||
(True, True)
|
(True, True)
|
||||||
|
>>> file_session['a'], file_session['b'] = 'c', 'd'
|
||||||
|
>>> file_session.save()
|
||||||
|
>>> prev_key = file_session.session_key
|
||||||
|
>>> prev_data = file_session.items()
|
||||||
|
>>> file_session.cycle_key()
|
||||||
|
>>> file_session.session_key == prev_key
|
||||||
|
False
|
||||||
|
>>> file_session.items() == prev_data
|
||||||
|
True
|
||||||
|
|
||||||
>>> Session.objects.filter(pk=file_session.session_key).delete()
|
>>> Session.objects.filter(pk=file_session.session_key).delete()
|
||||||
>>> file_session = FileSession(file_session.session_key)
|
>>> file_session = FileSession(file_session.session_key)
|
||||||
>>> file_session.save()
|
>>> file_session.save()
|
||||||
|
@ -112,6 +131,16 @@ False
|
||||||
False
|
False
|
||||||
>>> cache_session.modified, cache_session.accessed
|
>>> cache_session.modified, cache_session.accessed
|
||||||
(True, True)
|
(True, True)
|
||||||
|
>>> cache_session['a'], cache_session['b'] = 'c', 'd'
|
||||||
|
>>> cache_session.save()
|
||||||
|
>>> prev_key = cache_session.session_key
|
||||||
|
>>> prev_data = cache_session.items()
|
||||||
|
>>> cache_session.cycle_key()
|
||||||
|
>>> cache_session.session_key == prev_key
|
||||||
|
False
|
||||||
|
>>> cache_session.items() == prev_data
|
||||||
|
True
|
||||||
|
|
||||||
>>> Session.objects.filter(pk=cache_session.session_key).delete()
|
>>> Session.objects.filter(pk=cache_session.session_key).delete()
|
||||||
>>> cache_session = CacheSession(cache_session.session_key)
|
>>> cache_session = CacheSession(cache_session.session_key)
|
||||||
>>> cache_session.save()
|
>>> cache_session.save()
|
||||||
|
|
Loading…
Reference in New Issue