summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorDavid Wobrock <david.wobrock@gmail.com>2023-03-06 16:18:03 +0100
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2023-03-08 10:48:04 +0100
commit2396933ca99c6bfb53bda9e53968760316646e01 (patch)
tree4e28cc9bf22bed440c3d42b0c1f6cb615aec849e /docs
parent9b224579875e30203d079cc2fee83b116d98eb78 (diff)
Fixed #34384 -- Fixed session validation when rotation secret keys.
Bug in 0dcd549bbe36c060f536ec270d34d9e7d4b8e6c7. Thanks Eric Zarowny for the report.
Diffstat (limited to 'docs')
-rw-r--r--docs/ref/contrib/auth.txt9
-rw-r--r--docs/releases/4.1.8.txt3
-rw-r--r--docs/topics/auth/customizing.txt7
3 files changed, 17 insertions, 2 deletions
diff --git a/docs/ref/contrib/auth.txt b/docs/ref/contrib/auth.txt
index 241a0219bd..90ae5904a8 100644
--- a/docs/ref/contrib/auth.txt
+++ b/docs/ref/contrib/auth.txt
@@ -695,10 +695,17 @@ Utility functions
``get_user()`` method to retrieve the user model instance and then verifies
the session by calling the user model's
:meth:`~django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash`
- method.
+ method. If the verification fails and :setting:`SECRET_KEY_FALLBACKS` are
+ provided, it verifies the session against each fallback key using
+ :meth:`~django.contrib.auth.models.AbstractBaseUser.\
+ get_session_auth_fallback_hash`.
Returns an instance of :class:`~django.contrib.auth.models.AnonymousUser`
if the authentication backend stored in the session is no longer in
:setting:`AUTHENTICATION_BACKENDS`, if a user isn't returned by the
backend's ``get_user()`` method, or if the session auth hash doesn't
validate.
+
+ .. versionchanged:: 4.1.8
+
+ Fallback verification with :setting:`SECRET_KEY_FALLBACKS` was added.
diff --git a/docs/releases/4.1.8.txt b/docs/releases/4.1.8.txt
index 685580f33c..9f3dd167ed 100644
--- a/docs/releases/4.1.8.txt
+++ b/docs/releases/4.1.8.txt
@@ -9,4 +9,5 @@ Django 4.1.8 fixes several bugs in 4.1.7.
Bugfixes
========
-* ...
+* Fixed a bug in Django 4.1 that caused invalidation of sessions when rotating
+ secret keys with ``SECRET_KEY_FALLBACKS`` (:ticket:`34384`).
diff --git a/docs/topics/auth/customizing.txt b/docs/topics/auth/customizing.txt
index 3b688c8b5c..6cc48cacb1 100644
--- a/docs/topics/auth/customizing.txt
+++ b/docs/topics/auth/customizing.txt
@@ -722,6 +722,13 @@ The following attributes and methods are available on any subclass of
Returns an HMAC of the password field. Used for
:ref:`session-invalidation-on-password-change`.
+ .. method:: models.AbstractBaseUser.get_session_auth_fallback_hash()
+
+ .. versionadded:: 4.1.8
+
+ Yields the HMAC of the password field using
+ :setting:`SECRET_KEY_FALLBACKS`. Used by ``get_user()``.
+
:class:`~models.AbstractUser` subclasses :class:`~models.AbstractBaseUser`:
.. class:: models.AbstractUser