diff options
| author | Tim Graham <timograham@gmail.com> | 2015-08-05 17:44:48 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-08-18 08:24:51 -0400 |
| commit | 2f5485346ee6f84b4e52068c04e043092daf55f7 (patch) | |
| tree | e1ec11a78988899a5abd812beb0014e4fde67d21 /django/contrib/sessions/backends/cached_db.py | |
| parent | 95af89466893fee083b04b86b77c0226d031e128 (diff) | |
[1.7.x] Fixed DoS possiblity in contrib.auth.views.logout()
Refs #20936 -- When logging out/ending a session, don't create a new, empty session.
Previously, when logging out, the existing session was overwritten by a
new sessionid instead of deleting the session altogether.
This behavior added overhead by creating a new session record in
whichever backend was in use: db, cache, etc.
This extra session is unnecessary at the time since no session data is
meant to be preserved when explicitly logging out.
Backport of 393c0e24223c701edeb8ce7dc9d0f852f0c081ad,
088579638b160f3716dc81d194be70c72743593f, and
2dee853ed4def42b7ef1b3b472b395055543cc00 from master
Thanks Florian Apolloner and Carl Meyer for review.
This is a security fix.
Diffstat (limited to 'django/contrib/sessions/backends/cached_db.py')
| -rw-r--r-- | django/contrib/sessions/backends/cached_db.py | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/django/contrib/sessions/backends/cached_db.py b/django/contrib/sessions/backends/cached_db.py index 5cc6f79b5a..5a7664b9b1 100644 --- a/django/contrib/sessions/backends/cached_db.py +++ b/django/contrib/sessions/backends/cached_db.py @@ -79,7 +79,7 @@ class SessionStore(DBStore): """ self.clear() self.delete(self.session_key) - self.create() + self._session_key = None # At bottom to avoid circular import |