summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2014-04-10 08:03:50 -0400
committerTim Graham <timograham@gmail.com>2014-04-17 20:07:05 -0400
commit548acd77fd6356073ad4fa514c3d61f6589da43b (patch)
tree6b0551cfff6cece21efff614573cbd62ddba530f
parentedaff9b0dffc9ad984671673214d671d84abe144 (diff)
[1.7.x] Fixed a KeyError on login with legacy sessions; refs #21649.
Thanks Loic for the report. Backport of 11e30b684d from master
-rw-r--r--django/contrib/auth/__init__.py2
-rw-r--r--django/contrib/auth/tests/test_views.py16
2 files changed, 17 insertions, 1 deletions
diff --git a/django/contrib/auth/__init__.py b/django/contrib/auth/__init__.py
index 795365ae79..a316f6840b 100644
--- a/django/contrib/auth/__init__.py
+++ b/django/contrib/auth/__init__.py
@@ -86,7 +86,7 @@ def login(request, user):
if SESSION_KEY in request.session:
if request.session[SESSION_KEY] != user.pk or (
session_auth_hash and
- request.session[HASH_SESSION_KEY] != session_auth_hash):
+ request.session.get(HASH_SESSION_KEY) != session_auth_hash):
# To avoid reusing another user's session, create a new, empty
# session if the existing session corresponds to a different
# authenticated user.
diff --git a/django/contrib/auth/tests/test_views.py b/django/contrib/auth/tests/test_views.py
index 01e3825bf4..27de1e26b4 100644
--- a/django/contrib/auth/tests/test_views.py
+++ b/django/contrib/auth/tests/test_views.py
@@ -595,6 +595,22 @@ class LoginTest(AuthViewsTestCase):
self.login(password='foobar')
self.assertNotEqual(original_session_key, self.client.session.session_key)
+ def test_login_session_without_hash_session_key(self):
+ """
+ Session without django.contrib.auth.HASH_SESSION_KEY should login
+ without an exception.
+ """
+ user = User.objects.get(username='testclient')
+ engine = import_module(settings.SESSION_ENGINE)
+ session = engine.SessionStore()
+ session[SESSION_KEY] = user.id
+ session.save()
+ original_session_key = session.session_key
+ self.client.cookies[settings.SESSION_COOKIE_NAME] = original_session_key
+
+ self.login()
+ self.assertNotEqual(original_session_key, self.client.session.session_key)
+
@skipIfCustomUser
class LoginURLSettings(AuthViewsTestCase):