Changed models.auth.Session.get_session_from_cookie to raise SessionDoesNotExist instead of SuspiciousOperation if tamper check fails
git-svn-id: http://code.djangoproject.com/svn/django/trunk@234 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
d384870307
commit
526f6af782
|
@ -213,8 +213,7 @@ class Session(meta.Model):
|
||||||
raise SessionDoesNotExist
|
raise SessionDoesNotExist
|
||||||
session_md5, tamper_check = session_cookie_string[:32], session_cookie_string[32:]
|
session_md5, tamper_check = session_cookie_string[:32], session_cookie_string[32:]
|
||||||
if md5.new(session_md5 + SECRET_KEY + 'auth').hexdigest() != tamper_check:
|
if md5.new(session_md5 + SECRET_KEY + 'auth').hexdigest() != tamper_check:
|
||||||
from django.core.exceptions import SuspiciousOperation
|
raise SessionDoesNotExist
|
||||||
raise SuspiciousOperation, "User may have tampered with session cookie."
|
|
||||||
return get_object(session_md5__exact=session_md5, select_related=True)
|
return get_object(session_md5__exact=session_md5, select_related=True)
|
||||||
|
|
||||||
def _module_destroy_all_sessions(user_id):
|
def _module_destroy_all_sessions(user_id):
|
||||||
|
|
Loading…
Reference in New Issue