Commit 11e30b68 authored by Tim Graham's avatar Tim Graham
Browse files

Fixed a KeyError on login with legacy sessions; refs #21649. 

Thanks Loic for the report.
parent ecff136f

django/contrib/auth/__init__.py

+1 −1
Original line number Diff line number Diff line
@@ -86,7 +86,7 @@ def login(request, user): 
    if SESSION_KEY in request.session:

        if request.session[SESSION_KEY] != user.pk or (

                session_auth_hash and

                request.session[HASH_SESSION_KEY] != session_auth_hash):

                request.session.get(HASH_SESSION_KEY) != session_auth_hash):

            # To avoid reusing another user's session, create a new, empty

            # session if the existing session corresponds to a different

            # authenticated user.

django/contrib/auth/tests/test_views.py

+16 −0
Original line number Diff line number Diff line
@@ -594,6 +594,22 @@ class LoginTest(AuthViewsTestCase): 
        self.login(password='foobar')

        self.assertNotEqual(original_session_key, self.client.session.session_key)



    def test_login_session_without_hash_session_key(self):

        """

        Session without django.contrib.auth.HASH_SESSION_KEY should login

        without an exception.

        """

        user = User.objects.get(username='testclient')

        engine = import_module(settings.SESSION_ENGINE)

        session = engine.SessionStore()

        session[SESSION_KEY] = user.id

        session.save()

        original_session_key = session.session_key

        self.client.cookies[settings.SESSION_COOKIE_NAME] = original_session_key



        self.login()

        self.assertNotEqual(original_session_key, self.client.session.session_key)





@skipIfCustomUser

class LoginURLSettings(AuthViewsTestCase):