diff --git a/django/middleware/admin.py b/django/middleware/admin.py index 1ad1f09796..ff21689646 100644 --- a/django/middleware/admin.py +++ b/django/middleware/admin.py @@ -81,6 +81,7 @@ class AdminUserRequired: request.user = user return else: + request.session.delete_test_cookie() return httpwrappers.HttpResponseRedirect(request.path) else: return self.display_login_form(request, ERROR_MESSAGE) diff --git a/django/middleware/sessions.py b/django/middleware/sessions.py index 1f9b7dbb99..a588e3e95b 100644 --- a/django/middleware/sessions.py +++ b/django/middleware/sessions.py @@ -30,6 +30,9 @@ class SessionWrapper(object): def test_cookie_worked(self): return self.get(TEST_COOKIE_NAME) == TEST_COOKIE_VALUE + def delete_test_cookie(self): + del self[TEST_COOKIE_NAME] + def _get_session(self): # Lazily loads session from storage. try: diff --git a/django/views/auth/login.py b/django/views/auth/login.py index 8b375517cc..75a80c7907 100644 --- a/django/views/auth/login.py +++ b/django/views/auth/login.py @@ -18,6 +18,7 @@ def login(request): if not redirect_to or '://' in redirect_to or ' ' in redirect_to: redirect_to = '/accounts/profile/' request.session[users.SESSION_KEY] = manipulator.get_user_id() + request.session.delete_test_cookie() return HttpResponseRedirect(redirect_to) else: errors = {} diff --git a/docs/sessions.txt b/docs/sessions.txt index ad715767ca..22d06fdedd 100644 --- a/docs/sessions.txt +++ b/docs/sessions.txt @@ -46,7 +46,7 @@ It implements the following standard dictionary methods: * ``get(key, default=None)`` Example: ``fav_color = request.session.get('fav_color', 'red')`` -It also has these two methods: +It also has these three methods: * ``set_test_cookie()`` Sets a test cookie to determine whether the user's browser supports @@ -60,6 +60,9 @@ It also has these two methods: have to call ``set_test_cookie()`` on a previous, separate page request. See "Setting test cookies" below for more information. + * ``delete_test_cookie()`` + Deletes the test cookie. Use this to clean up after yourself. + You can edit ``request.session`` at any point in your view. You can edit it multiple times. @@ -120,11 +123,15 @@ This awkward split between ``set_test_cookie()`` and ``test_cookie_worked()`` is necessary due to the way cookies work. When you set a cookie, you can't actually tell whether a browser accepted it until the browser's next request. +It's good practice to use ``delete_test_cookie()`` to clean up after yourself. +Do this after you've verified that the test cookie worked. + Here's a typical usage example:: def login(request): if request.POST: if request.session.test_cookie_worked(): + request.session.delete_test_cookie() return HttpResponse("You're logged in.") else: return HttpResponse("Please enable cookies and try again.")