summaryrefslogtreecommitdiff
path: root/django
diff options
context:
space:
mode:
authorTore Lundqvist <tlt@mima.x.se>2016-01-08 17:08:08 +0100
committerTim Graham <timograham@gmail.com>2016-02-26 18:56:56 -0500
commit3389c5ea229884a1943873fe7e7ffc2800cefc22 (patch)
tree295945e15bc2403d03c4f78cc1972981f0a2ab61 /django
parent3938b3ccaa85f1c366909a4839696007726a09da (diff)
Fixed #21608 -- Prevented logged out sessions being resurrected by concurrent requests.
Thanks Simon Charette for the review.
Diffstat (limited to 'django')
-rw-r--r--django/contrib/sessions/backends/base.py13
-rw-r--r--django/contrib/sessions/backends/cache.py8
-rw-r--r--django/contrib/sessions/backends/db.py12
-rw-r--r--django/contrib/sessions/backends/file.py8
-rw-r--r--django/contrib/sessions/middleware.py10
5 files changed, 40 insertions, 11 deletions
diff --git a/django/contrib/sessions/backends/base.py b/django/contrib/sessions/backends/base.py
index 718cc54215..bb9bcdac94 100644
--- a/django/contrib/sessions/backends/base.py
+++ b/django/contrib/sessions/backends/base.py
@@ -28,6 +28,13 @@ class CreateError(Exception):
pass
+class UpdateError(Exception):
+ """
+ Occurs if Django tries to update a session that was deleted.
+ """
+ pass
+
+
class SessionBase(object):
"""
Base class for all Session classes.
@@ -301,7 +308,8 @@ class SessionBase(object):
key = self.session_key
self.create()
self._session_cache = data
- self.delete(key)
+ if key:
+ self.delete(key)
# Methods that child classes must implement.
@@ -323,7 +331,8 @@ class SessionBase(object):
"""
Saves the session data. If 'must_create' is True, a new session object
is created (otherwise a CreateError exception is raised). Otherwise,
- save() can update an existing object with the same key.
+ save() only updates an existing object and does not create one
+ (an UpdateError is raised).
"""
raise NotImplementedError('subclasses of SessionBase must provide a save() method')
diff --git a/django/contrib/sessions/backends/cache.py b/django/contrib/sessions/backends/cache.py
index 268e06576a..602596073d 100644
--- a/django/contrib/sessions/backends/cache.py
+++ b/django/contrib/sessions/backends/cache.py
@@ -1,5 +1,7 @@
from django.conf import settings
-from django.contrib.sessions.backends.base import CreateError, SessionBase
+from django.contrib.sessions.backends.base import (
+ CreateError, SessionBase, UpdateError,
+)
from django.core.cache import caches
from django.utils.six.moves import range
@@ -55,8 +57,10 @@ class SessionStore(SessionBase):
return self.create()
if must_create:
func = self._cache.add
- else:
+ elif self._cache.get(self.session_key) is not None:
func = self._cache.set
+ else:
+ raise UpdateError
result = func(self.cache_key,
self._get_session(no_load=must_create),
self.get_expiry_age())
diff --git a/django/contrib/sessions/backends/db.py b/django/contrib/sessions/backends/db.py
index ae2470e120..7ed6945431 100644
--- a/django/contrib/sessions/backends/db.py
+++ b/django/contrib/sessions/backends/db.py
@@ -1,8 +1,10 @@
import logging
-from django.contrib.sessions.backends.base import CreateError, SessionBase
+from django.contrib.sessions.backends.base import (
+ CreateError, SessionBase, UpdateError,
+)
from django.core.exceptions import SuspiciousOperation
-from django.db import IntegrityError, router, transaction
+from django.db import DatabaseError, IntegrityError, router, transaction
from django.utils import timezone
from django.utils.encoding import force_text
from django.utils.functional import cached_property
@@ -83,11 +85,15 @@ class SessionStore(SessionBase):
using = router.db_for_write(self.model, instance=obj)
try:
with transaction.atomic(using=using):
- obj.save(force_insert=must_create, using=using)
+ obj.save(force_insert=must_create, force_update=not must_create, using=using)
except IntegrityError:
if must_create:
raise CreateError
raise
+ except DatabaseError:
+ if not must_create:
+ raise UpdateError
+ raise
def delete(self, session_key=None):
if session_key is None:
diff --git a/django/contrib/sessions/backends/file.py b/django/contrib/sessions/backends/file.py
index 9170615f5a..145eeb3f6d 100644
--- a/django/contrib/sessions/backends/file.py
+++ b/django/contrib/sessions/backends/file.py
@@ -7,7 +7,7 @@ import tempfile
from django.conf import settings
from django.contrib.sessions.backends.base import (
- VALID_KEY_CHARS, CreateError, SessionBase,
+ VALID_KEY_CHARS, CreateError, SessionBase, UpdateError,
)
from django.contrib.sessions.exceptions import InvalidSessionKey
from django.core.exceptions import ImproperlyConfigured, SuspiciousOperation
@@ -129,15 +129,17 @@ class SessionStore(SessionBase):
try:
# Make sure the file exists. If it does not already exist, an
# empty placeholder file is created.
- flags = os.O_WRONLY | os.O_CREAT | getattr(os, 'O_BINARY', 0)
+ flags = os.O_WRONLY | getattr(os, 'O_BINARY', 0)
if must_create:
- flags |= os.O_EXCL
+ flags |= os.O_EXCL | os.O_CREAT
fd = os.open(session_file_name, flags)
os.close(fd)
except OSError as e:
if must_create and e.errno == errno.EEXIST:
raise CreateError
+ if not must_create and e.errno == errno.ENOENT:
+ raise UpdateError
raise
# Write the session file without interfering with other threads
diff --git a/django/contrib/sessions/middleware.py b/django/contrib/sessions/middleware.py
index 96751dbbc1..51e0101616 100644
--- a/django/contrib/sessions/middleware.py
+++ b/django/contrib/sessions/middleware.py
@@ -2,6 +2,8 @@ import time
from importlib import import_module
from django.conf import settings
+from django.contrib.sessions.backends.base import UpdateError
+from django.shortcuts import redirect
from django.utils.cache import patch_vary_headers
from django.utils.http import cookie_date
@@ -47,7 +49,13 @@ class SessionMiddleware(object):
# Save the session data and refresh the client cookie.
# Skip session save for 500 responses, refs #3881.
if response.status_code != 500:
- request.session.save()
+ try:
+ request.session.save()
+ except UpdateError:
+ # The user is now logged out; redirecting to same
+ # page will result in a redirect to the login page
+ # if required.
+ return redirect(request.path)
response.set_cookie(settings.SESSION_COOKIE_NAME,
request.session.session_key, max_age=max_age,
expires=expires, domain=settings.SESSION_COOKIE_DOMAIN,