mirror of https://github.com/django/django.git
Fixed #6941 -- When logging a user out, or when logging in with an existing
session and a different user id to the current session owner, flush the session data to avoid leakage. Logging in and moving from an anonymous user to a validated user still keeps existing session data. Backwards incompatible if you were assuming sessions persisted past logout. git-svn-id: http://code.djangoproject.com/svn/django/trunk@8343 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
5e8efa9a60
commit
97a7dab2b1
|
@ -53,6 +53,10 @@ def login(request, user):
|
|||
# TODO: It would be nice to support different login methods, like signed cookies.
|
||||
user.last_login = datetime.datetime.now()
|
||||
user.save()
|
||||
if request.session.get('SESSION_KEY', user.id) != user.id:
|
||||
# To avoid reusing another user's session, create a new, empty session
|
||||
# if the existing session corresponds to a different authenticated user.
|
||||
request.session.flush()
|
||||
request.session[SESSION_KEY] = user.id
|
||||
request.session[BACKEND_SESSION_KEY] = user.backend
|
||||
if hasattr(request, 'user'):
|
||||
|
@ -60,16 +64,10 @@ def login(request, user):
|
|||
|
||||
def logout(request):
|
||||
"""
|
||||
Remove the authenticated user's ID from the request.
|
||||
Removes the authenticated user's ID from the request and flushes their
|
||||
session data.
|
||||
"""
|
||||
try:
|
||||
del request.session[SESSION_KEY]
|
||||
except KeyError:
|
||||
pass
|
||||
try:
|
||||
del request.session[BACKEND_SESSION_KEY]
|
||||
except KeyError:
|
||||
pass
|
||||
request.session.flush()
|
||||
if hasattr(request, 'user'):
|
||||
from django.contrib.auth.models import AnonymousUser
|
||||
request.user = AnonymousUser()
|
||||
|
|
|
@ -426,6 +426,13 @@ use ``django.contrib.auth.logout()`` within your view. It takes an
|
|||
|
||||
Note that ``logout()`` doesn't throw any errors if the user wasn't logged in.
|
||||
|
||||
**New in Django development version:** When you call ``logout()``, the session
|
||||
data for the current request is completely cleaned out. All existing data is
|
||||
removed. This is to prevent another person from using the same web browser to
|
||||
log in and have access to the previous user's session data. If you want to put
|
||||
anything into the session that will be available to the user immediately after
|
||||
logging out, do that *after* calling ``django.contrib.auth.logout()``.
|
||||
|
||||
Limiting access to logged-in users
|
||||
----------------------------------
|
||||
|
||||
|
|
|
@ -117,8 +117,8 @@ It also has these methods:
|
|||
Delete the current session data from the database and regenerate the
|
||||
session key value that is sent back to the user in the cookie. This is
|
||||
used if you want to ensure that the previous session data can't be
|
||||
accessed again from the user's browser (for example, the standard
|
||||
``logout()`` method calls it).
|
||||
accessed again from the user's browser (for example, the
|
||||
``django.contrib.auth.logout()`` method calls it).
|
||||
|
||||
* ``set_test_cookie()``
|
||||
|
||||
|
@ -230,6 +230,11 @@ This simplistic view logs in a "member" of the site::
|
|||
pass
|
||||
return HttpResponse("You're logged out.")
|
||||
|
||||
The standard ``django.contrib.auth.logout()`` function actually does a bit
|
||||
more than this to prevent inadvertent data leakage. It calls
|
||||
``request.session.flush()``. We are using this example as a demonstration of
|
||||
how to work with session objects, not as a full ``logout()`` implementation.
|
||||
|
||||
Setting test cookies
|
||||
====================
|
||||
|
||||
|
|
Loading…
Reference in New Issue