diff options
| author | David Wobrock <david.wobrock@gmail.com> | 2023-03-06 16:18:03 +0100 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-03-08 10:48:04 +0100 |
| commit | 2396933ca99c6bfb53bda9e53968760316646e01 (patch) | |
| tree | 4e28cc9bf22bed440c3d42b0c1f6cb615aec849e /docs | |
| parent | 9b224579875e30203d079cc2fee83b116d98eb78 (diff) | |
Fixed #34384 -- Fixed session validation when rotation secret keys.
Bug in 0dcd549bbe36c060f536ec270d34d9e7d4b8e6c7.
Thanks Eric Zarowny for the report.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/contrib/auth.txt | 9 | ||||
| -rw-r--r-- | docs/releases/4.1.8.txt | 3 | ||||
| -rw-r--r-- | docs/topics/auth/customizing.txt | 7 |
3 files changed, 17 insertions, 2 deletions
diff --git a/docs/ref/contrib/auth.txt b/docs/ref/contrib/auth.txt index 241a0219bd..90ae5904a8 100644 --- a/docs/ref/contrib/auth.txt +++ b/docs/ref/contrib/auth.txt @@ -695,10 +695,17 @@ Utility functions ``get_user()`` method to retrieve the user model instance and then verifies the session by calling the user model's :meth:`~django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash` - method. + method. If the verification fails and :setting:`SECRET_KEY_FALLBACKS` are + provided, it verifies the session against each fallback key using + :meth:`~django.contrib.auth.models.AbstractBaseUser.\ + get_session_auth_fallback_hash`. Returns an instance of :class:`~django.contrib.auth.models.AnonymousUser` if the authentication backend stored in the session is no longer in :setting:`AUTHENTICATION_BACKENDS`, if a user isn't returned by the backend's ``get_user()`` method, or if the session auth hash doesn't validate. + + .. versionchanged:: 4.1.8 + + Fallback verification with :setting:`SECRET_KEY_FALLBACKS` was added. diff --git a/docs/releases/4.1.8.txt b/docs/releases/4.1.8.txt index 685580f33c..9f3dd167ed 100644 --- a/docs/releases/4.1.8.txt +++ b/docs/releases/4.1.8.txt @@ -9,4 +9,5 @@ Django 4.1.8 fixes several bugs in 4.1.7. Bugfixes ======== -* ... +* Fixed a bug in Django 4.1 that caused invalidation of sessions when rotating + secret keys with ``SECRET_KEY_FALLBACKS`` (:ticket:`34384`). diff --git a/docs/topics/auth/customizing.txt b/docs/topics/auth/customizing.txt index 3b688c8b5c..6cc48cacb1 100644 --- a/docs/topics/auth/customizing.txt +++ b/docs/topics/auth/customizing.txt @@ -722,6 +722,13 @@ The following attributes and methods are available on any subclass of Returns an HMAC of the password field. Used for :ref:`session-invalidation-on-password-change`. + .. method:: models.AbstractBaseUser.get_session_auth_fallback_hash() + + .. versionadded:: 4.1.8 + + Yields the HMAC of the password field using + :setting:`SECRET_KEY_FALLBACKS`. Used by ``get_user()``. + :class:`~models.AbstractUser` subclasses :class:`~models.AbstractBaseUser`: .. class:: models.AbstractUser |
