[1.7.x] Fixed a KeyError on login with legacy sessions; refs #21649.

Thanks Loic for the report. Backport of 11e30b684d from master
2014-04-10 08:03:50 -04:00 · 2014-04-10 08:03:50 -04:00 · 548acd77fd
parent edaff9b0df
commit 548acd77fd
2 changed files with 17 additions and 1 deletions
--- a/django/contrib/auth/init.py
+++ b/django/contrib/auth/init.py
@ -86,7 +86,7 @@ def login(request, user):
    if SESSION_KEY in request.session:
        if request.session[SESSION_KEY] != user.pk or (
                session_auth_hash and
-                request.session[HASH_SESSION_KEY] != session_auth_hash):
+                request.session.get(HASH_SESSION_KEY) != session_auth_hash):
            # To avoid reusing another user's session, create a new, empty
            # session if the existing session corresponds to a different
            # authenticated user.
--- a/django/contrib/auth/tests/test_views.py
+++ b/django/contrib/auth/tests/test_views.py
@ -595,6 +595,22 @@ class LoginTest(AuthViewsTestCase):
        self.login(password='foobar')
        self.assertNotEqual(original_session_key, self.client.session.session_key)

+    def test_login_session_without_hash_session_key(self):
+        """
+        Session without django.contrib.auth.HASH_SESSION_KEY should login
+        without an exception.
+        """
+        user = User.objects.get(username='testclient')
+        engine = import_module(settings.SESSION_ENGINE)
+        session = engine.SessionStore()
+        session[SESSION_KEY] = user.id
+        session.save()
+        original_session_key = session.session_key
+        self.client.cookies[settings.SESSION_COOKIE_NAME] = original_session_key
+
+        self.login()
+        self.assertNotEqual(original_session_key, self.client.session.session_key)
+

@skipIfCustomUser
 class LoginURLSettings(AuthViewsTestCase):