diff options
| author | Tim Graham <timograham@gmail.com> | 2016-05-13 18:26:10 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-05-13 18:26:10 -0400 |
| commit | 094ea69e072779661d36e46a6caec0fea4b3ca16 (patch) | |
| tree | 23aa5dd02038d7a0a086a1614d3a04bf7838208a | |
| parent | 104727030c52a6cd5e85fdcc64dd6cfc906fc241 (diff) | |
Fixed #26614 -- Used constant_time_compare() in checking session auth hash in login().
| -rw-r--r-- | django/contrib/auth/__init__.py | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/django/contrib/auth/__init__.py b/django/contrib/auth/__init__.py index 4f4f08987a..6f2a2e45c3 100644 --- a/django/contrib/auth/__init__.py +++ b/django/contrib/auth/__init__.py @@ -100,7 +100,7 @@ def login(request, user, backend=None): if SESSION_KEY in request.session: if _get_user_session_key(request) != user.pk or ( session_auth_hash and - request.session.get(HASH_SESSION_KEY) != session_auth_hash): + not constant_time_compare(request.session.get(HASH_SESSION_KEY, ''), session_auth_hash)): # To avoid reusing another user's session, create a new, empty # session if the existing session corresponds to a different # authenticated user. |