summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2015-08-05 16:51:42 -0400
committerTim Graham <timograham@gmail.com>2015-08-18 08:15:15 -0400
commit2eb86b01d7b59be06076f6179a454d0fd0afaff6 (patch)
tree66211d34d5a0ee5e3e9db148539dbc2395e32176 /tests
parent048bccb1bea6e13113f6d5fee7b311604ff2ea1f (diff)
[1.8.x] Fixed DoS possiblity in contrib.auth.views.logout()
Thanks Florian Apolloner and Carl Meyer for review. This is a security fix.
Diffstat (limited to 'tests')
-rw-r--r--tests/sessions_tests/tests.py17
1 files changed, 17 insertions, 0 deletions
diff --git a/tests/sessions_tests/tests.py b/tests/sessions_tests/tests.py
index a1aab37273..220ddb2eda 100644
--- a/tests/sessions_tests/tests.py
+++ b/tests/sessions_tests/tests.py
@@ -660,6 +660,23 @@ class SessionMiddlewareTests(TestCase):
str(response.cookies[settings.SESSION_COOKIE_NAME])
)
+ def test_flush_empty_without_session_cookie_doesnt_set_cookie(self):
+ request = RequestFactory().get('/')
+ response = HttpResponse('Session test')
+ middleware = SessionMiddleware()
+
+ # Simulate a request that ends the session
+ middleware.process_request(request)
+ request.session.flush()
+
+ # Handle the response through the middleware
+ response = middleware.process_response(request, response)
+
+ # A cookie should not be set.
+ self.assertEqual(response.cookies, {})
+ # The session is accessed so "Vary: Cookie" should be set.
+ self.assertEqual(response['Vary'], 'Cookie')
+
# Don't need DB flushing for these tests, so can use unittest.TestCase as base class
class CookieSessionTests(SessionTestsMixin, unittest.TestCase):