mirror of https://github.com/django/django.git
[1.8.x] Fixed incorrect session.flush() in cached_db session backend.
This is a security fix; disclosure to follow shortly. Thanks Sam Cooke for the report and draft patch.
This commit is contained in:
parent
2b2a2157d0
commit
31cb25adec
|
@ -79,7 +79,7 @@ class SessionStore(DBStore):
|
|||
"""
|
||||
self.clear()
|
||||
self.delete(self.session_key)
|
||||
self._session_key = ''
|
||||
self._session_key = None
|
||||
|
||||
# At bottom to avoid circular import
|
||||
from django.contrib.sessions.models import Session # isort:skip
|
||||
|
|
|
@ -4,7 +4,23 @@ Django 1.8.2 release notes
|
|||
|
||||
*Under development*
|
||||
|
||||
Django 1.8.2 fixes several bugs in 1.8.1.
|
||||
Django 1.8.2 fixes a security issue and several bugs in 1.8.1.
|
||||
|
||||
Fixed session flushing in the ``cached_db`` backend
|
||||
===================================================
|
||||
|
||||
A change to ``session.flush()`` in the ``cached_db`` session backend in Django
|
||||
1.8 mistakenly sets the session key to an empty string rather than ``None``. An
|
||||
empty string is treated as a valid session key and the session cookie is set
|
||||
accordingly. Any users with an empty string in their session cookie will use
|
||||
the same session store. ``session.flush()`` is called by
|
||||
``django.contrib.auth.logout()`` and, more seriously, by
|
||||
``django.contrib.auth.login()`` when a user switches accounts. If a user is
|
||||
logged in and logs in again to a different account (without logging out) the
|
||||
session is flushed to avoid reuse. After the session is flushed (and its
|
||||
session key becomes ``''``) the account details are set on the session and the
|
||||
session is saved. Any users with an empty string in their session cookie will
|
||||
now be logged into that account.
|
||||
|
||||
Bugfixes
|
||||
========
|
||||
|
|
|
@ -162,6 +162,7 @@ class SessionTestsMixin(object):
|
|||
self.session.flush()
|
||||
self.assertFalse(self.session.exists(prev_key))
|
||||
self.assertNotEqual(self.session.session_key, prev_key)
|
||||
self.assertIsNone(self.session.session_key)
|
||||
self.assertTrue(self.session.modified)
|
||||
self.assertTrue(self.session.accessed)
|
||||
|
||||
|
|
Loading…
Reference in New Issue