Changed models.auth.Session.get_session_from_cookie to raise SessionDoesNotExist instead of SuspiciousOperation if tamper check fails

git-svn-id: http://code.djangoproject.com/svn/django/trunk@234 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Adrian Holovaty 2005-07-20 00:57:38 +00:00
parent d384870307
commit 526f6af782
1 changed files with 1 additions and 2 deletions

View File

@ -213,8 +213,7 @@ class Session(meta.Model):
raise SessionDoesNotExist raise SessionDoesNotExist
session_md5, tamper_check = session_cookie_string[:32], session_cookie_string[32:] session_md5, tamper_check = session_cookie_string[:32], session_cookie_string[32:]
if md5.new(session_md5 + SECRET_KEY + 'auth').hexdigest() != tamper_check: if md5.new(session_md5 + SECRET_KEY + 'auth').hexdigest() != tamper_check:
from django.core.exceptions import SuspiciousOperation raise SessionDoesNotExist
raise SuspiciousOperation, "User may have tampered with session cookie."
return get_object(session_md5__exact=session_md5, select_related=True) return get_object(session_md5__exact=session_md5, select_related=True)
def _module_destroy_all_sessions(user_id): def _module_destroy_all_sessions(user_id):