From 2f5485346ee6f84b4e52068c04e043092daf55f7 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Wed, 5 Aug 2015 17:44:48 -0400 Subject: [1.7.x] Fixed DoS possiblity in contrib.auth.views.logout() Refs #20936 -- When logging out/ending a session, don't create a new, empty session. Previously, when logging out, the existing session was overwritten by a new sessionid instead of deleting the session altogether. This behavior added overhead by creating a new session record in whichever backend was in use: db, cache, etc. This extra session is unnecessary at the time since no session data is meant to be preserved when explicitly logging out. Backport of 393c0e24223c701edeb8ce7dc9d0f852f0c081ad, 088579638b160f3716dc81d194be70c72743593f, and 2dee853ed4def42b7ef1b3b472b395055543cc00 from master Thanks Florian Apolloner and Carl Meyer for review. This is a security fix. --- docs/topics/http/sessions.txt | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'docs/topics/http') diff --git a/docs/topics/http/sessions.txt b/docs/topics/http/sessions.txt index 85431b5b1c..f261a27f24 100644 --- a/docs/topics/http/sessions.txt +++ b/docs/topics/http/sessions.txt @@ -226,12 +226,18 @@ You can edit it multiple times. .. method:: flush() - Delete the current session data from the session and regenerate the - session key value that is sent back to the user in the cookie. This is - used if you want to ensure that the previous session data can't be - accessed again from the user's browser (for example, the + Deletes the current session data from the session and deletes the session + cookie. This is used if you want to ensure that the previous session data + can't be accessed again from the user's browser (for example, the :func:`django.contrib.auth.logout()` function calls it). + .. versionchanged:: 1.7.10 + + Deletion of the session cookie was added. Previously, the behavior + was to regenerate the session key value that was sent back to the + user in the cookie, but this could be a denial-of-service + vulnerability. + .. method:: set_test_cookie() Sets a test cookie to determine whether the user's browser supports -- cgit v1.3