Commit Graph

54 Commits

Author SHA1 Message Date
Tom Carrick bcc2befd0e Fixed -- Added a new headers interface to HttpResponse. 2020-09-14 08:41:59 +02:00
Hasan Ramezani 2808cdc8fb Fixed -- Made SessionMiddleware raise SessionInterrupted when session destroyed while request is processing. 2020-09-09 09:04:28 +02:00
Mariusz Felisiak 4376c2c7f8
Fixed -- Fixed crash when decoding invalid session data.
Thanks Matt Hegarty for the report.
Regression in d4fff711d4.
2020-08-19 12:06:00 +02:00
Mariusz Felisiak 99abfe8f4d
Fixed -- Fixed encoding session data during transition to Django 3.1.
Thanks אורי for the report.
2020-08-07 21:42:39 +02:00
Mariusz Felisiak 240cbb63bf
Fixed -- Fixed setting SameSite and Secure cookies flags in HttpResponse.delete_cookie().
Cookies with the "SameSite" flag set to None and without the "secure"
flag will be soon rejected by latest browser versions.

This affects sessions and messages cookies.
2020-07-16 08:16:58 +02:00
Claude Paroz d4fff711d4 Fixed -- Used signing infrastructure in SessionBase.encode()/decode().
Thanks Mariusz Felisiak and Florian Apolloner for the reviews.
2020-03-02 12:16:48 +01:00
Claude Paroz 4d973f5939 Refs -- Deprecated passing None as get_response arg to middleware classes.
This is the new contract since middleware refactoring in Django 1.10.

Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2020-02-18 20:03:44 +01:00
Jon Dufresne 77aa74cb70 Refs -- Added support for using pathlib.Path in all settings. 2019-11-07 10:26:22 +01:00
Hasan Ramezani 9d6f981a66 Fixed -- Allowed overriding the session cookie age with SessionStore.get_session_cookie_age(). 2019-05-21 08:50:09 +02:00
birthdaysgift dc740dde50 Fixed -- Added 'Vary: Cookie' to invalid/empty session cookie responses. 2019-03-21 18:02:49 -04:00
Jon Dufresne 7785e03ba8 Fixed -- Replaced OSError aliases with the canonical OSError.
Used more specific errors (e.g. FileExistsError) as appropriate.
2019-01-28 11:15:06 -05:00
Simon Charette 0f212db29d Made reused RequestFactory instances class attributes. 2018-11-27 09:49:02 -05:00
Jon Dufresne bdae19cf63 Refs -- Removed force_bytes() usage in sessions.
SessionBase.decode() is the inverse operation to SessionBase.encode().
As SessionBase.encode() always returns a string, SessionBase.decode()
should always be passed a string argument. Fixed the file backend, which
was the only backend still passing a bytestring.
2018-10-03 11:11:42 +02:00
Claude Paroz 607970f31c Replaced django.test.utils.patch_logger() with assertLogs().
Thanks Tim Graham for the review.
2018-05-07 09:34:00 -04:00
Alex Gaynor 9a56b4b13e Fixed -- Added support for the SameSite cookie flag.
Thanks Alex Gaynor for contributing to the patch.
2018-04-13 20:58:31 -04:00
Mariusz Felisiak 362813d628
Fixed hanging indentation in various code. 2018-03-16 10:54:34 +01:00
Alexey 0afffae4ec Fixed -- Updated Set-Cookie's Expires date format to follow RFC 7231. 2018-01-02 11:22:59 -05:00
Tim Graham cfff2af02b Fixed -- Dropped support for Python 3.4. 2017-09-25 17:11:03 -04:00
Tim Graham cde31daf88 Sorted imports per isort 4.2.9. 2017-06-01 13:23:48 -04:00
Tim Graham 67702f3505 Converted sessions_tests to use assertIs() rather than assertTrue/False(). 2017-05-03 20:21:39 -04:00
Tim Graham 578e576c31 Fixed -- Fixed cache backend's SessionStore.exists() if session_key is None. 2017-05-03 12:39:07 -04:00
Mariusz Felisiak 81f8449402 Refs -- Fixed nondeterministic ordering test failure in sessions_tests.
Thanks Tim Graham for the review.
2017-04-18 17:56:59 +02:00
InvalidInterrupt dda596ca32 Fixed -- Prevented SessionBase.cycle_key() from discarding data. 2017-04-17 09:58:19 -04:00
chillaranand d6eaf7c018 Refs -- Replaced super(ClassName, self) with super(). 2017-01-25 12:23:46 -05:00
Claude Paroz 2366100872 Removed unneeded force_text calls in the test suite 2017-01-24 18:45:54 +01:00
Srinivas Reddy Thatiparthy eb0b921c29 Refs -- Removed SessionBase.iterkeys(), itervalues(), iteritems().
These methods only work on Python 2.
2017-01-19 14:15:00 -05:00
Simon Charette cecc079168 Refs -- Stopped inheriting from object to define new style classes. 2017-01-19 08:39:46 +01:00
Claude Paroz 2b281cc35e Refs -- Removed most of remaining six usage
Thanks Tim Graham for the review.
2017-01-18 21:33:28 +01:00
za 321e94fa41 Refs -- Removed "Tests that", "Ensures that", etc. from test docstrings. 2016-11-10 21:30:21 -05:00
Andrew Nester 1ce04bcce0 Fixed -- Replaced unsafe redirect in SessionMiddleware with SuspiciousOperation. 2016-11-01 07:15:56 -04:00
Adam Zapletal 887f3d3219 Fixed -- Fixed Session.cycle_key() crash on unaccessed session. 2016-08-08 13:01:25 -04:00
Tim Graham c9ae09addf Replaced use of TestCase.fail() with assertRaises().
Also removed try/except/fail antipattern that hides exceptions.
2016-06-28 11:21:26 -04:00
Jon Dufresne d13881bd34 Fixed -- Fixed SessionMiddleware's empty cookie deletion when using SESSION_COOKIE_PATH. 2016-06-21 11:03:25 -04:00
Jon Dufresne 4f336f6652 Fixed -- Used more specific assertions in the Django test suite. 2016-06-16 14:19:18 -04:00
Tobias Kroenke b040ac06eb Fixed -- Fixed a regression where SessionBase.pop() didn't return a KeyError. 2016-04-20 13:06:47 -04:00
Nicolas Noé 973f393761 Refs -- Added a test for SessionBase.pop()'s 'default' argument. 2016-04-20 12:57:07 -04:00
Tim Graham 92053acbb9 Fixed E128 flake8 warnings in tests/. 2016-04-08 10:12:33 -04:00
Jon Dufresne 5faf745999 Refs -- Fixed incorrect cache key in cache session backend's save().
The bug was introduced commit 3389c5ea22.
2016-04-04 07:41:59 -04:00
Tore Lundqvist 3389c5ea22 Fixed -- Prevented logged out sessions being resurrected by concurrent requests.
Thanks Simon Charette for the review.
2016-02-26 18:56:56 -05:00
Simon Charette 62ea86448e Cleaned up session backends tests.
Made SessionTestsMixin backend agnostic and removed code obsoleted by the test
discovery refactor.
2016-02-26 11:22:33 -05:00
Simon Charette 19318507d9 Stopped registering the sessions tests models to the sessions app. 2016-02-04 12:28:09 -05:00
Hasan 3d0dcd7f5a Refs -- Used context manager version of assertRaises in tests. 2016-01-29 12:32:18 -05:00
John Vandenberg 9e3f6c7483 Fixed quad quoted ("""") docstring starts. 2015-10-20 12:19:17 -04:00
Aleksandra Tarkowska c055224763 Fixed -- Allowed clearsessions to remove file-based sessions. 2015-10-03 09:21:10 -04:00
Sergey Kolosov 22bb548900 Fixed -- Made the database-backed session backends more extensible.
Introduced an AbstractBaseSession model and hooks providing the option
of overriding the model class used by the session store and the session
store class used by the model.
2015-08-27 15:00:09 -04:00
Tim Graham 867d287b3a Added a test to ensure empty sessions are saved. 2015-08-20 10:24:19 -04:00
Tim Graham 8cc41ce7a7 Fixed DoS possiblity in contrib.auth.views.logout()
Thanks Florian Apolloner and Carl Meyer for review.

This is a security fix.
2015-08-18 08:03:43 -04:00
Carl Meyer df049ed77a Fixed -- Avoided creating a session record when loading the session.
The session record is now only created if/when the session is modified. This
prevents a potential DoS via creation of many empty session records.

This is a security fix; disclosure to follow shortly.
2015-07-08 15:23:03 -04:00
David Bannon f4416b1a8b Fixed -- Added stricter session key validation
Changed _session_key attribute to a property and implemented basic
validation in the setter. The session key must be 'truthy' and
at least 8 characters long. Otherwise, the value is set to None.
2015-06-06 20:04:20 -04:00
Tim Graham 088579638b Fixed incorrect session.flush() in cached_db session backend.
This is a security fix; disclosure to follow shortly.

Thanks Sam Cooke for the report and draft patch.
2015-05-20 13:48:06 -04:00