summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMariusz Felisiak <felisiak.mariusz@gmail.com>2021-01-12 20:31:36 +0100
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2021-01-14 17:50:04 +0100
commit6b4941dd577c494cfa49dbeacfd33594ae770047 (patch)
treebf4948ae43a686ae0e5956d64d7f46cfeb331337
parentd32a232fe92e0162030c7905f877d8a07c09e6c7 (diff)
Refs #27468 -- Removed support for the pre-Django 3.1 user sessions.
Per deprecation timeline.
-rw-r--r--django/contrib/auth/__init__.py9
-rw-r--r--django/contrib/auth/base_user.py5
-rw-r--r--docs/releases/4.0.txt3
-rw-r--r--tests/auth_tests/test_middleware.py10
-rw-r--r--tests/auth_tests/test_views.py23
5 files changed, 6 insertions, 44 deletions
diff --git a/django/contrib/auth/__init__.py b/django/contrib/auth/__init__.py
index cad8eff149..1e15665ced 100644
--- a/django/contrib/auth/__init__.py
+++ b/django/contrib/auth/__init__.py
@@ -190,13 +190,8 @@ def get_user(request):
user.get_session_auth_hash()
)
if not session_hash_verified:
- if not (
- session_hash and
- hasattr(user, '_legacy_get_session_auth_hash') and
- constant_time_compare(session_hash, user._legacy_get_session_auth_hash())
- ):
- request.session.flush()
- user = None
+ request.session.flush()
+ user = None
return user or AnonymousUser()
diff --git a/django/contrib/auth/base_user.py b/django/contrib/auth/base_user.py
index 3a4a64ee19..26145a7e50 100644
--- a/django/contrib/auth/base_user.py
+++ b/django/contrib/auth/base_user.py
@@ -121,11 +121,6 @@ class AbstractBaseUser(models.Model):
"""
return is_password_usable(self.password)
- def _legacy_get_session_auth_hash(self):
- # RemovedInDjango40Warning: pre-Django 3.1 hashes will be invalid.
- key_salt = 'django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash'
- return salted_hmac(key_salt, self.password, algorithm='sha1').hexdigest()
-
def get_session_auth_hash(self):
"""
Return an HMAC of the password field.
diff --git a/docs/releases/4.0.txt b/docs/releases/4.0.txt
index 0088953b3e..4d0392ae5c 100644
--- a/docs/releases/4.0.txt
+++ b/docs/releases/4.0.txt
@@ -292,3 +292,6 @@ to remove usage of these features.
* Support for the pre-Django 3.1 ``django.core.signing.dumps()`` signatures
(encoded with the SHA-1 algorithm) in ``django.core.signing.loads()`` is
removed.
+
+* Support for the pre-Django 3.1 user sessions (that use the SHA-1 algorithm)
+ is removed.
diff --git a/tests/auth_tests/test_middleware.py b/tests/auth_tests/test_middleware.py
index b6151acb19..c6e0a7cc8d 100644
--- a/tests/auth_tests/test_middleware.py
+++ b/tests/auth_tests/test_middleware.py
@@ -24,16 +24,6 @@ class TestAuthenticationMiddleware(TestCase):
self.assertIsNotNone(self.request.user)
self.assertFalse(self.request.user.is_anonymous)
- def test_no_password_change_does_not_invalidate_legacy_session(self):
- # RemovedInDjango40Warning: pre-Django 3.1 hashes will be invalid.
- session = self.client.session
- session[HASH_SESSION_KEY] = self.user._legacy_get_session_auth_hash()
- session.save()
- self.request.session = session
- self.middleware(self.request)
- self.assertIsNotNone(self.request.user)
- self.assertFalse(self.request.user.is_anonymous)
-
@ignore_warnings(category=RemovedInDjango40Warning)
def test_session_default_hashing_algorithm(self):
hash_session = self.client.session[HASH_SESSION_KEY]
diff --git a/tests/auth_tests/test_views.py b/tests/auth_tests/test_views.py
index 4fb61b9be5..e57d661772 100644
--- a/tests/auth_tests/test_views.py
+++ b/tests/auth_tests/test_views.py
@@ -9,7 +9,7 @@ from django.apps import apps
from django.conf import settings
from django.contrib.admin.models import LogEntry
from django.contrib.auth import (
- BACKEND_SESSION_KEY, HASH_SESSION_KEY, REDIRECT_FIELD_NAME, SESSION_KEY,
+ BACKEND_SESSION_KEY, REDIRECT_FIELD_NAME, SESSION_KEY,
)
from django.contrib.auth.forms import (
AuthenticationForm, PasswordChangeForm, SetPasswordForm,
@@ -710,27 +710,6 @@ class LoginTest(AuthViewsTestCase):
self.login(password='foobar')
self.assertNotEqual(original_session_key, self.client.session.session_key)
- def test_legacy_session_key_flushed_on_login(self):
- # RemovedInDjango40Warning.
- user = User.objects.get(username='testclient')
- engine = import_module(settings.SESSION_ENGINE)
- session = engine.SessionStore()
- session[SESSION_KEY] = user.id
- session[HASH_SESSION_KEY] = user._legacy_get_session_auth_hash()
- session.save()
- original_session_key = session.session_key
- self.client.cookies[settings.SESSION_COOKIE_NAME] = original_session_key
- # Legacy session key is flushed on login.
- self.login()
- self.assertNotEqual(original_session_key, self.client.session.session_key)
- # Legacy session key is flushed after a password change.
- user.set_password('password_2')
- user.save()
- original_session_key = session.session_key
- self.client.cookies[settings.SESSION_COOKIE_NAME] = original_session_key
- self.login(password='password_2')
- self.assertNotEqual(original_session_key, self.client.session.session_key)
-
def test_login_session_without_hash_session_key(self):
"""
Session without django.contrib.auth.HASH_SESSION_KEY should login