diff options
| author | Tim Graham <timograham@gmail.com> | 2015-05-11 09:58:43 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-05-20 13:49:07 -0400 |
| commit | 31cb25adecba930bdeee4556709f5a1c42d88fd6 (patch) | |
| tree | 506f55142bdb93cf872f0c22c237a21329ecf884 /docs | |
| parent | 2b2a2157d0f4f1c7c4244374a460953846c65dd4 (diff) | |
[1.8.x] Fixed incorrect session.flush() in cached_db session backend.
This is a security fix; disclosure to follow shortly.
Thanks Sam Cooke for the report and draft patch.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.8.2.txt | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/docs/releases/1.8.2.txt b/docs/releases/1.8.2.txt index 635bc96e92..2351664203 100644 --- a/docs/releases/1.8.2.txt +++ b/docs/releases/1.8.2.txt @@ -4,7 +4,23 @@ Django 1.8.2 release notes *Under development* -Django 1.8.2 fixes several bugs in 1.8.1. +Django 1.8.2 fixes a security issue and several bugs in 1.8.1. + +Fixed session flushing in the ``cached_db`` backend +=================================================== + +A change to ``session.flush()`` in the ``cached_db`` session backend in Django +1.8 mistakenly sets the session key to an empty string rather than ``None``. An +empty string is treated as a valid session key and the session cookie is set +accordingly. Any users with an empty string in their session cookie will use +the same session store. ``session.flush()`` is called by +``django.contrib.auth.logout()`` and, more seriously, by +``django.contrib.auth.login()`` when a user switches accounts. If a user is +logged in and logs in again to a different account (without logging out) the +session is flushed to avoid reuse. After the session is flushed (and its +session key becomes ``''``) the account details are set on the session and the +session is saved. Any users with an empty string in their session cookie will +now be logged into that account. Bugfixes ======== |
