mirror of https://github.com/django/django.git
Fixed #6941 -- When logging a user out, or when logging in with an existing
session and a different user id to the current session owner, flush the session data to avoid leakage. Logging in and moving from an anonymous user to a validated user still keeps existing session data. Backwards incompatible if you were assuming sessions persisted past logout. git-svn-id: http://code.djangoproject.com/svn/django/trunk@8343 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
5e8efa9a60
commit
97a7dab2b1
|
@ -53,6 +53,10 @@ def login(request, user):
|
||||||
# TODO: It would be nice to support different login methods, like signed cookies.
|
# TODO: It would be nice to support different login methods, like signed cookies.
|
||||||
user.last_login = datetime.datetime.now()
|
user.last_login = datetime.datetime.now()
|
||||||
user.save()
|
user.save()
|
||||||
|
if request.session.get('SESSION_KEY', user.id) != user.id:
|
||||||
|
# To avoid reusing another user's session, create a new, empty session
|
||||||
|
# if the existing session corresponds to a different authenticated user.
|
||||||
|
request.session.flush()
|
||||||
request.session[SESSION_KEY] = user.id
|
request.session[SESSION_KEY] = user.id
|
||||||
request.session[BACKEND_SESSION_KEY] = user.backend
|
request.session[BACKEND_SESSION_KEY] = user.backend
|
||||||
if hasattr(request, 'user'):
|
if hasattr(request, 'user'):
|
||||||
|
@ -60,16 +64,10 @@ def login(request, user):
|
||||||
|
|
||||||
def logout(request):
|
def logout(request):
|
||||||
"""
|
"""
|
||||||
Remove the authenticated user's ID from the request.
|
Removes the authenticated user's ID from the request and flushes their
|
||||||
|
session data.
|
||||||
"""
|
"""
|
||||||
try:
|
request.session.flush()
|
||||||
del request.session[SESSION_KEY]
|
|
||||||
except KeyError:
|
|
||||||
pass
|
|
||||||
try:
|
|
||||||
del request.session[BACKEND_SESSION_KEY]
|
|
||||||
except KeyError:
|
|
||||||
pass
|
|
||||||
if hasattr(request, 'user'):
|
if hasattr(request, 'user'):
|
||||||
from django.contrib.auth.models import AnonymousUser
|
from django.contrib.auth.models import AnonymousUser
|
||||||
request.user = AnonymousUser()
|
request.user = AnonymousUser()
|
||||||
|
|
|
@ -426,6 +426,13 @@ use ``django.contrib.auth.logout()`` within your view. It takes an
|
||||||
|
|
||||||
Note that ``logout()`` doesn't throw any errors if the user wasn't logged in.
|
Note that ``logout()`` doesn't throw any errors if the user wasn't logged in.
|
||||||
|
|
||||||
|
**New in Django development version:** When you call ``logout()``, the session
|
||||||
|
data for the current request is completely cleaned out. All existing data is
|
||||||
|
removed. This is to prevent another person from using the same web browser to
|
||||||
|
log in and have access to the previous user's session data. If you want to put
|
||||||
|
anything into the session that will be available to the user immediately after
|
||||||
|
logging out, do that *after* calling ``django.contrib.auth.logout()``.
|
||||||
|
|
||||||
Limiting access to logged-in users
|
Limiting access to logged-in users
|
||||||
----------------------------------
|
----------------------------------
|
||||||
|
|
||||||
|
|
|
@ -117,8 +117,8 @@ It also has these methods:
|
||||||
Delete the current session data from the database and regenerate the
|
Delete the current session data from the database and regenerate the
|
||||||
session key value that is sent back to the user in the cookie. This is
|
session key value that is sent back to the user in the cookie. This is
|
||||||
used if you want to ensure that the previous session data can't be
|
used if you want to ensure that the previous session data can't be
|
||||||
accessed again from the user's browser (for example, the standard
|
accessed again from the user's browser (for example, the
|
||||||
``logout()`` method calls it).
|
``django.contrib.auth.logout()`` method calls it).
|
||||||
|
|
||||||
* ``set_test_cookie()``
|
* ``set_test_cookie()``
|
||||||
|
|
||||||
|
@ -230,6 +230,11 @@ This simplistic view logs in a "member" of the site::
|
||||||
pass
|
pass
|
||||||
return HttpResponse("You're logged out.")
|
return HttpResponse("You're logged out.")
|
||||||
|
|
||||||
|
The standard ``django.contrib.auth.logout()`` function actually does a bit
|
||||||
|
more than this to prevent inadvertent data leakage. It calls
|
||||||
|
``request.session.flush()``. We are using this example as a demonstration of
|
||||||
|
how to work with session objects, not as a full ``logout()`` implementation.
|
||||||
|
|
||||||
Setting test cookies
|
Setting test cookies
|
||||||
====================
|
====================
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue