diff options
| author | David Wobrock <david.wobrock@gmail.com> | 2023-03-06 16:18:03 +0100 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-03-08 10:48:04 +0100 |
| commit | 2396933ca99c6bfb53bda9e53968760316646e01 (patch) | |
| tree | 4e28cc9bf22bed440c3d42b0c1f6cb615aec849e /docs/ref | |
| parent | 9b224579875e30203d079cc2fee83b116d98eb78 (diff) | |
Fixed #34384 -- Fixed session validation when rotation secret keys.
Bug in 0dcd549bbe36c060f536ec270d34d9e7d4b8e6c7.
Thanks Eric Zarowny for the report.
Diffstat (limited to 'docs/ref')
| -rw-r--r-- | docs/ref/contrib/auth.txt | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/docs/ref/contrib/auth.txt b/docs/ref/contrib/auth.txt index 241a0219bd..90ae5904a8 100644 --- a/docs/ref/contrib/auth.txt +++ b/docs/ref/contrib/auth.txt @@ -695,10 +695,17 @@ Utility functions ``get_user()`` method to retrieve the user model instance and then verifies the session by calling the user model's :meth:`~django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash` - method. + method. If the verification fails and :setting:`SECRET_KEY_FALLBACKS` are + provided, it verifies the session against each fallback key using + :meth:`~django.contrib.auth.models.AbstractBaseUser.\ + get_session_auth_fallback_hash`. Returns an instance of :class:`~django.contrib.auth.models.AnonymousUser` if the authentication backend stored in the session is no longer in :setting:`AUTHENTICATION_BACKENDS`, if a user isn't returned by the backend's ``get_user()`` method, or if the session auth hash doesn't validate. + + .. versionchanged:: 4.1.8 + + Fallback verification with :setting:`SECRET_KEY_FALLBACKS` was added. |
