Commit Graph

98 Commits

Author SHA1 Message Date
Jon Dufresne 5faf745999 Refs #21608 -- Fixed incorrect cache key in cache session backend's save().
The bug was introduced commit 3389c5ea22.
2016-04-04 07:41:59 -04:00
Tore Lundqvist 3389c5ea22 Fixed #21608 -- Prevented logged out sessions being resurrected by concurrent requests.
Thanks Simon Charette for the review.
2016-02-26 18:56:56 -05:00
Tim Graham 98839e9066 Removed British/Austrialian word: whilist. 2015-12-31 14:29:52 -05:00
Brian Gianforcaro a3fffdca24 Fixed #25558 -- Fixed nondeterministic test failure on Windows: test_clearsessions_command.
The test session without an expiration date added in refs #22938 wasn't
always deleted on Windows because get_expiry_age() returns zero and the
file backend didn't consider that an expired session.
2015-10-17 10:03:11 -04:00
Aleksandra Tarkowska c055224763 Fixed #22938 -- Allowed clearsessions to remove file-based sessions. 2015-10-03 09:21:10 -04:00
Sergey Kolosov 22bb548900 Fixed #22634 -- Made the database-backed session backends more extensible.
Introduced an AbstractBaseSession model and hooks providing the option
of overriding the model class used by the session store and the session
store class used by the model.
2015-08-27 15:00:09 -04:00
Carl Meyer df049ed77a Fixed #19324 -- Avoided creating a session record when loading the session.
The session record is now only created if/when the session is modified. This
prevents a potential DoS via creation of many empty session records.

This is a security fix; disclosure to follow shortly.
2015-07-08 15:23:03 -04:00
David Bannon f4416b1a8b Fixed #24915 -- Added stricter session key validation
Changed _session_key attribute to a property and implemented basic
validation in the setter. The session key must be 'truthy' and
at least 8 characters long. Otherwise, the value is set to None.
2015-06-06 20:04:20 -04:00
Tim Graham 088579638b Fixed incorrect session.flush() in cached_db session backend.
This is a security fix; disclosure to follow shortly.

Thanks Sam Cooke for the report and draft patch.
2015-05-20 13:48:06 -04:00
Piotr Jakimiak 4157c502a5 Removed unnecessary arguments in .get method calls 2015-05-13 20:51:18 +02:00
Adam Zapletal 872eb26f54 Fixed #24621 -- Fixed and documented SessionBase.pop's second argument
Changed SessionBase.pop's second argument to explicitly be default=None
rather than *args since _session is always a dict. Thanks gabor for the
report and Tim Graham for the review.
2015-04-13 10:32:03 -04:00
Tim Graham 8a481498aa Fixed #24468 -- Made signed cookies cache backend resilient to unpickling exceptions. 2015-03-12 08:19:54 -04:00
Tim Graham 0ed7d15563 Sorted imports with isort; refs #23860. 2015-02-06 08:16:28 -05:00
Michael Hall 895dc880eb Fixed #23812 -- Changed django.utils.six.moves.xrange imports to range 2014-12-13 12:45:58 -05:00
Matt Robenolt 393c0e2422 Fixed #20936 -- When logging out/ending a session, don't create a new, empty session.
Previously, when logging out, the existing session was overwritten by a
new sessionid instead of deleting the session altogether.

This behavior added overhead by creating a new session record in
whichever backend was in use: db, cache, etc.

This extra session is unnecessary at the time since no session data is
meant to be preserved when explicitly logging out.
2014-05-11 21:42:26 -03:00
Berker Peksag 5d263dee30 Fixed #21674 -- Deprecated the import_by_path() function in favor of import_string().
Thanks Aymeric Augustin for the suggestion and review.
2014-02-08 11:12:19 -05:00
Curtis Maloney ffc37e2343 Fixed #21012 -- New API to access cache backends.
Thanks Curtis Malony and Florian Apolloner.

Squashed commit of the following:

commit 3380495e93
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Sat Nov 23 14:18:07 2013 +0100

    Looked up the template_fragments cache at runtime.

commit 905a74f52b
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Sat Nov 23 14:19:48 2013 +0100

    Removed all uses of create_cache.

    Refactored the cache tests significantly.

    Made it safe to override the CACHES setting.

commit 35e289fe92
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Sat Nov 23 12:23:57 2013 +0100

    Removed create_cache function.

commit 8e274f747a
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Sat Nov 23 12:04:52 2013 +0100

    Updated docs to describe a simplified cache backend API.

commit ee7eb0f73e
Author: Curtis Maloney <curtis@tinbrain.net>
Date:   Sat Oct 19 09:49:24 2013 +1100

    Fixed #21012 -- Thread-local caches, like databases.
2013-11-23 15:06:59 +01:00
Alex Gaynor 7548aa8ffd More attacking E302 violators 2013-11-02 13:12:09 -07:00
Aymeric Augustin 728548e483 Fixed #21134 -- Prevented queries in broken transactions.
Squashed commit of the following:

commit 63ddb271a44df389b2c302e421fc17b7f0529755
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Sun Sep 29 22:51:00 2013 +0200

    Clarified interactions between atomic and exceptions.

commit 2899ec299228217c876ba3aa4024e523a41c8504
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Sun Sep 22 22:45:32 2013 +0200

    Fixed TransactionManagementError in tests.

    Previous commit introduced an additional check to prevent running
    queries in transactions that will be rolled back, which triggered a few
    failures in the tests. In practice using transaction.atomic instead of
    the low-level savepoint APIs was enough to fix the problems.

commit 4a639b059ea80aeb78f7f160a7d4b9f609b9c238
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Tue Sep 24 22:24:17 2013 +0200

    Allowed nesting constraint_checks_disabled inside atomic.

    Since MySQL handles transactions loosely, this isn't a problem.

commit 2a4ab1cb6e83391ff7e25d08479e230ca564bfef
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Sat Sep 21 18:43:12 2013 +0200

    Prevented running queries in transactions that will be rolled back.

    This avoids a counter-intuitive behavior in an edge case on databases
    with non-atomic transaction semantics.

    It prevents using savepoint_rollback() inside an atomic block without
    calling set_rollback(False) first, which is backwards-incompatible in
    tests.

    Refs #21134.

commit 8e3db393853c7ac64a445b66e57f3620a3fde7b0
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Sun Sep 22 22:14:17 2013 +0200

    Replaced manual savepoints by atomic blocks.

    This ensures the rollback flag is handled consistently in internal APIs.
2013-09-30 09:42:27 +02:00
Gregor MacGregor b2b763448f Fixed #20841 -- Added messages to NotImplementedErrors
Thanks joseph at vertstudios.com for the suggestion.
2013-09-10 11:09:59 -04:00
CHI Cheng ed9cd4fd8b Fixed #21000 -- Made cached_db session backend respect SESSION_CACHE_ALIAS 2013-09-05 10:47:58 -04:00
Tim Graham b0ce6fe656 Fixed #20922 -- Allowed customizing the serializer used by contrib.sessions
Added settings.SESSION_SERIALIZER which is the import path of a serializer
to use for sessions.

Thanks apollo13, carljm, shaib, akaariai, charettes, and dstufft for reviews.
2013-08-22 13:58:26 -04:00
Preston Holmes d228c1192e Fixed #19866 -- Added security logger and return 400 for SuspiciousOperation.
SuspiciousOperations have been differentiated into subclasses, and
are now logged to a 'django.security.*' logger. SuspiciousOperations
that reach django.core.handlers.base.BaseHandler will now return a 400
instead of a 500.

Thanks to tiwoc for the report, and Carl Meyer and Donald Stufft
for review.
2013-05-25 16:27:34 -07:00
Erik Romijn f88700d610 Fix #19664 -- Illegal Characters In Session Key Give Fatal Error On File Backend Only 2013-05-19 15:33:05 +02:00
Aymeric Augustin ba5138b1c0 Deprecated transaction.commit/rollback_unless_managed.
Since "unless managed" now means "if database-level autocommit",
committing or rolling back doesn't have any effect.

Restored transactional integrity in a few places that relied on
automatically-started transactions with a transitory API.
2013-03-11 14:48:54 +01:00
Joeri Bekker b9cc61021a Fixed #9084 - Best approach for an OS to atomically rename the session file. 2013-02-24 14:21:40 +01:00
Aymeric Augustin d913a8b412 Fixed #19356 -- Increased session key entropy. 2012-11-29 16:36:43 +01:00
Aymeric Augustin 11fd00c46e Fixed #19254 -- Bug in SESSION_FILE_PATH handling.
Thanks simonb for the report.

Refs #18194.
2012-11-06 10:19:14 +01:00
Aymeric Augustin 146ed13a11 Fixed #17083 -- Allowed sessions to use non-default cache. 2012-10-31 09:46:16 +01:00
Aymeric Augustin 98032f67c7 Fixed #14093 -- Improved error message in the cache session backend.
Thanks stumbles for the patch.
2012-10-28 12:40:10 +01:00
Aymeric Augustin 5fec97b9df Fixed #18194 -- Expiration of file-based sessions
* Prevented stale session files from being loaded
* Added removal of stale session files in django-admin.py clearsessions

Thanks ej for the report, crodjer and Elvard for their inputs.
2012-10-28 09:19:38 +01:00
Aymeric Augustin cd17a24083 Added optional kwargs to get_expiry_age/date.
This change allows for cleaner tests: we can test the exact output.

Refs #18194: this change makes it possible to compute session expiry
dates at times other than when the session is saved.

Fixed #18458: the existence of the `modification` kwarg implies that you
must pass it to get_expiry_age/date if you call these functions outside
of a short request - response cycle (the intended use case).
2012-10-27 23:15:45 +02:00
Aymeric Augustin 04b00b668d Fixed #19200 -- Session expiry with cached_db
Also did a little bit of cleanup.
2012-10-27 19:40:39 +02:00
Claude Paroz ebc773ada3 Replaced many smart_bytes by force_bytes
In all those occurrences, we didn't care about preserving the
lazy status of the strings, but we really wanted to obtain a
real bytestring.
2012-08-29 11:20:32 +02:00
Florian Apolloner 518af78e21 Removed unneeded smart_bytes import which was introduced in f2fff84bc. 2012-08-15 17:33:21 +02:00
Florian Apolloner f2fff84bc3 [py3] fixed session file backend. 2012-08-15 14:20:44 +02:00
Claude Paroz e0d67f3440 [py3] Fixed test_client_regress tests 2012-08-15 10:58:26 +02:00
Aymeric Augustin 212a512984 [py3] Avoided the deprecated base64 interface.
This fixes a deprecation warning under Python 3.
2012-08-14 23:45:12 +02:00
Claude Paroz 8a1f439d3a [py3] Fix encoding issues in contrib.sessions 2012-08-12 22:49:10 +02:00
Aymeric Augustin c5ef65bcf3 [py3] Ported django.utils.encoding.
* Renamed smart_unicode to smart_text (but kept the old name under
  Python 2 for backwards compatibility).
* Renamed smart_str to smart_bytes.
* Re-introduced smart_str as an alias for smart_text under Python 3
  and smart_bytes under Python 2 (which is backwards compatible).
  Thus smart_str always returns a str objects.
* Used the new smart_str in a few places where both Python 2 and 3
  want a str.
2012-08-07 12:00:22 +02:00
Aymeric Augustin a84d79f572 [py3] Added Python 3 compatibility for xrange. 2012-07-22 09:29:56 +02:00
Aymeric Augustin ca07fda2ef [py3] Switched to Python 3-compatible imports.
xrange/range will be dealt with in a separate commit due to the huge
number of changes.
2012-07-22 09:29:56 +02:00
Claude Paroz 865cd35c9b Made more extensive usage of context managers with open. 2012-05-05 14:06:36 +02:00
Claude Paroz 3904b74a3f Fixed #18013 -- Use the new 'as' syntax for exceptions.
Thanks Clueless for the initial patch.
Note that unittest has been purposely left out (external package only used by Python 2.6).
2012-04-29 20:57:15 +02:00
Aymeric Augustin f356a2e52f Fixed #17810 (again). Catch session key errors.
The previous commit didn't work with PyLibMC.
This solution appears to be the best compromise
at this point in the 1.4 release cycle.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@17797 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-23 16:14:46 +00:00
Jannis Leidel 46871eb1bb Fixed an incompatibility with Python 2.5 in the changes done in r17795. Refs #17810.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17796 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-23 09:32:11 +00:00
Paul McMillan 2ca9801956 Fixed #17810. Catch session key errors.
Catches memcached session key errors related to overly long session keys.
This is a long-standing bug, but severity was exacerbated by the addition
of cookie-backed session storage, which generates long session values. If
an installation switched from cookie-backed session store to memcached,
users would not be able to log in because of the server error from overly
long memcached keys.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@17795 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-23 05:31:11 +00:00
Paul McMillan 239e41f7c5 Cleanup to use get_random_string consistently.
Removes several ad hoc implementations of get_random_string()
and removes an innapropriate use of settings.SECRET_KEY.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@17580 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-23 21:39:12 +00:00
Julien Phalip 804bd40383 Fixed #17506 -- Did a minor optimization in the sessions' database backend. Thanks to FunkyBob for the report and patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17390 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-01-24 07:42:38 +00:00
Aymeric Augustin c11f9c3193 Optimized the cached_db session backend to check if a key exists in the cache first.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17156 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-11-27 18:36:03 +00:00