summaryrefslogtreecommitdiff
path: root/django
diff options
context:
space:
mode:
authorMalcolm Tredinnick <malcolm.tredinnick@gmail.com>2008-08-14 03:58:00 +0000
committerMalcolm Tredinnick <malcolm.tredinnick@gmail.com>2008-08-14 03:58:00 +0000
commit97a7dab2b19b87652bc15c5db4cb06cd7011fe4d (patch)
tree5da5e6d0dfb046a89335a650bc790cb340aca55f /django
parent5e8efa9a6032f9c4278199ab354c3ff742387263 (diff)
Fixed #6941 -- When logging a user out, or when logging in with an existing
session and a different user id to the current session owner, flush the session data to avoid leakage. Logging in and moving from an anonymous user to a validated user still keeps existing session data. Backwards incompatible if you were assuming sessions persisted past logout. git-svn-id: http://code.djangoproject.com/svn/django/trunk@8343 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'django')
-rw-r--r--django/contrib/auth/__init__.py16
1 files changed, 7 insertions, 9 deletions
diff --git a/django/contrib/auth/__init__.py b/django/contrib/auth/__init__.py
index 9813d9a2a2..e73e34b816 100644
--- a/django/contrib/auth/__init__.py
+++ b/django/contrib/auth/__init__.py
@@ -53,6 +53,10 @@ def login(request, user):
# TODO: It would be nice to support different login methods, like signed cookies.
user.last_login = datetime.datetime.now()
user.save()
+ if request.session.get('SESSION_KEY', user.id) != user.id:
+ # To avoid reusing another user's session, create a new, empty session
+ # if the existing session corresponds to a different authenticated user.
+ request.session.flush()
request.session[SESSION_KEY] = user.id
request.session[BACKEND_SESSION_KEY] = user.backend
if hasattr(request, 'user'):
@@ -60,16 +64,10 @@ def login(request, user):
def logout(request):
"""
- Remove the authenticated user's ID from the request.
+ Removes the authenticated user's ID from the request and flushes their
+ session data.
"""
- try:
- del request.session[SESSION_KEY]
- except KeyError:
- pass
- try:
- del request.session[BACKEND_SESSION_KEY]
- except KeyError:
- pass
+ request.session.flush()
if hasattr(request, 'user'):
from django.contrib.auth.models import AnonymousUser
request.user = AnonymousUser()