diff options
| author | Malcolm Tredinnick <malcolm.tredinnick@gmail.com> | 2008-08-14 03:58:00 +0000 |
|---|---|---|
| committer | Malcolm Tredinnick <malcolm.tredinnick@gmail.com> | 2008-08-14 03:58:00 +0000 |
| commit | 97a7dab2b19b87652bc15c5db4cb06cd7011fe4d (patch) | |
| tree | 5da5e6d0dfb046a89335a650bc790cb340aca55f /django | |
| parent | 5e8efa9a6032f9c4278199ab354c3ff742387263 (diff) | |
Fixed #6941 -- When logging a user out, or when logging in with an existing
session and a different user id to the current session owner, flush the session
data to avoid leakage. Logging in and moving from an anonymous user to a
validated user still keeps existing session data.
Backwards incompatible if you were assuming sessions persisted past logout.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8343 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'django')
| -rw-r--r-- | django/contrib/auth/__init__.py | 16 |
1 files changed, 7 insertions, 9 deletions
diff --git a/django/contrib/auth/__init__.py b/django/contrib/auth/__init__.py index 9813d9a2a2..e73e34b816 100644 --- a/django/contrib/auth/__init__.py +++ b/django/contrib/auth/__init__.py @@ -53,6 +53,10 @@ def login(request, user): # TODO: It would be nice to support different login methods, like signed cookies. user.last_login = datetime.datetime.now() user.save() + if request.session.get('SESSION_KEY', user.id) != user.id: + # To avoid reusing another user's session, create a new, empty session + # if the existing session corresponds to a different authenticated user. + request.session.flush() request.session[SESSION_KEY] = user.id request.session[BACKEND_SESSION_KEY] = user.backend if hasattr(request, 'user'): @@ -60,16 +64,10 @@ def login(request, user): def logout(request): """ - Remove the authenticated user's ID from the request. + Removes the authenticated user's ID from the request and flushes their + session data. """ - try: - del request.session[SESSION_KEY] - except KeyError: - pass - try: - del request.session[BACKEND_SESSION_KEY] - except KeyError: - pass + request.session.flush() if hasattr(request, 'user'): from django.contrib.auth.models import AnonymousUser request.user = AnonymousUser() |
