diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2020-04-29 16:45:00 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-04-29 16:45:00 +0200 |
| commit | 54646a423b4501aeb80bbdd9238f20500c84cd5f (patch) | |
| tree | e4c55114664eb0a38fcd51ab14c116885ada86b2 /tests/auth_tests/test_views.py | |
| parent | 5869afe32b9c252cacd327f18c58e38c36d1f530 (diff) | |
Refs #27468 -- Made user sessions use SHA-256 algorithm.
Diffstat (limited to 'tests/auth_tests/test_views.py')
| -rw-r--r-- | tests/auth_tests/test_views.py | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/tests/auth_tests/test_views.py b/tests/auth_tests/test_views.py index f33cbc8382..48278e23f9 100644 --- a/tests/auth_tests/test_views.py +++ b/tests/auth_tests/test_views.py @@ -10,7 +10,7 @@ from django.apps import apps from django.conf import settings from django.contrib.admin.models import LogEntry from django.contrib.auth import ( - BACKEND_SESSION_KEY, REDIRECT_FIELD_NAME, SESSION_KEY, + BACKEND_SESSION_KEY, HASH_SESSION_KEY, REDIRECT_FIELD_NAME, SESSION_KEY, ) from django.contrib.auth.forms import ( AuthenticationForm, PasswordChangeForm, SetPasswordForm, @@ -711,6 +711,27 @@ class LoginTest(AuthViewsTestCase): self.login(password='foobar') self.assertNotEqual(original_session_key, self.client.session.session_key) + def test_legacy_session_key_flushed_on_login(self): + # RemovedInDjango40Warning. + user = User.objects.get(username='testclient') + engine = import_module(settings.SESSION_ENGINE) + session = engine.SessionStore() + session[SESSION_KEY] = user.id + session[HASH_SESSION_KEY] = user._legacy_get_session_auth_hash() + session.save() + original_session_key = session.session_key + self.client.cookies[settings.SESSION_COOKIE_NAME] = original_session_key + # Legacy session key is flushed on login. + self.login() + self.assertNotEqual(original_session_key, self.client.session.session_key) + # Legacy session key is flushed after a password change. + user.set_password('password_2') + user.save() + original_session_key = session.session_key + self.client.cookies[settings.SESSION_COOKIE_NAME] = original_session_key + self.login(password='password_2') + self.assertNotEqual(original_session_key, self.client.session.session_key) + def test_login_session_without_hash_session_key(self): """ Session without django.contrib.auth.HASH_SESSION_KEY should login |