Refs #27468 -- Made user sessions use SHA-256 algorithm.

1 files changed, 11 insertions, 0 deletions

diff --git a/tests/auth_tests/test_middleware.py b/tests/auth_tests/test_middleware.py
index 3c31475d27..5538225acb 100644
--- a/tests/auth_tests/test_middleware.py
+++ b/tests/auth_tests/test_middleware.py
@@ -1,3 +1,4 @@
+from django.contrib.auth import HASH_SESSION_KEY
 from django.contrib.auth.middleware import AuthenticationMiddleware
 from django.contrib.auth.models import User
 from django.http import HttpRequest, HttpResponse
@@ -18,6 +19,16 @@ class TestAuthenticationMiddleware(TestCase):
         self.assertIsNotNone(self.request.user)
         self.assertFalse(self.request.user.is_anonymous)
 
+    def test_no_password_change_does_not_invalidate_legacy_session(self):
+        # RemovedInDjango40Warning: pre-Django 3.1 hashes will be invalid.
+        session = self.client.session
+        session[HASH_SESSION_KEY] = self.user._legacy_get_session_auth_hash()
+        session.save()
+        self.request.session = session
+        self.middleware(self.request)
+        self.assertIsNotNone(self.request.user)
+        self.assertFalse(self.request.user.is_anonymous)
+
     def test_changed_password_invalidates_session(self):
         # After password change, user should be anonymous
         self.user.set_password('new_password')