Commit 97a7dab2 authored by Malcolm Tredinnick's avatar Malcolm Tredinnick
Browse files

Fixed #6941 -- When logging a user out, or when logging in with an existing 

session and a different user id to the current session owner, flush the session
data to avoid leakage. Logging in and moving from an anonymous user to a
validated user still keeps existing session data.

Backwards incompatible if you were assuming sessions persisted past logout.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8343 bcc190cf-cafb-0310-a4f2-bffc1f526a37
parent 5e8efa9a

django/contrib/auth/__init__.py

+7 −9
Original line number Diff line number Diff line
@@ -53,6 +53,10 @@ def login(request, user): 
    # TODO: It would be nice to support different login methods, like signed cookies.

    user.last_login = datetime.datetime.now()

    user.save()

    if request.session.get('SESSION_KEY', user.id) != user.id:

        # To avoid reusing another user's session, create a new, empty session

        # if the existing session corresponds to a different authenticated user.

        request.session.flush()

    request.session[SESSION_KEY] = user.id

    request.session[BACKEND_SESSION_KEY] = user.backend

    if hasattr(request, 'user'):
@@ -60,16 +64,10 @@ def login(request, user): 


def logout(request):

    """

    Remove the authenticated user's ID from the request.

    Removes the authenticated user's ID from the request and flushes their

    session data.

    """

    try:

        del request.session[SESSION_KEY]

    except KeyError:

        pass

    try:

        del request.session[BACKEND_SESSION_KEY]

    except KeyError:

        pass

    request.session.flush()

    if hasattr(request, 'user'):

        from django.contrib.auth.models import AnonymousUser

        request.user = AnonymousUser()

docs/authentication.txt

+7 −0
Original line number Diff line number Diff line
@@ -426,6 +426,13 @@ use ``django.contrib.auth.logout()`` within your view. It takes an 


Note that ``logout()`` doesn't throw any errors if the user wasn't logged in.



**New in Django development version:** When you call ``logout()``, the session

data for the current request is completely cleaned out. All existing data is

removed. This is to prevent another person from using the same web browser to

log in and have access to the previous user's session data. If you want to put

anything into the session that will be available to the user immediately after

logging out, do that *after* calling ``django.contrib.auth.logout()``.



Limiting access to logged-in users

----------------------------------

docs/sessions.txt

+7 −2
Original line number Diff line number Diff line
@@ -117,8 +117,8 @@ It also has these methods: 
      Delete the current session data from the database and regenerate the

      session key value that is sent back to the user in the cookie. This is

      used if you want to ensure that the previous session data can't be

      accessed again from the user's browser (for example, the standard

      ``logout()`` method calls it).

      accessed again from the user's browser (for example, the

      ``django.contrib.auth.logout()`` method calls it).



    * ``set_test_cookie()``
@@ -230,6 +230,11 @@ This simplistic view logs in a "member" of the site:: 
            pass

        return HttpResponse("You're logged out.")



The standard ``django.contrib.auth.logout()`` function actually does a bit

more than this to prevent inadvertent data leakage. It calls

``request.session.flush()``. We are using this example as a demonstration of

how to work with session objects, not as a full ``logout()`` implementation.



Setting test cookies

====================