Please sign in to comment.
[1.7.x] Fixed DoS possiblity in contrib.auth.views.logout()
Refs #20936 -- When logging out/ending a session, don't create a new, empty session. Previously, when logging out, the existing session was overwritten by a new sessionid instead of deleting the session altogether. This behavior added overhead by creating a new session record in whichever backend was in use: db, cache, etc. This extra session is unnecessary at the time since no session data is meant to be preserved when explicitly logging out. Backport of 393c0e2, 0885796, and 2dee853 from master Thanks Florian Apolloner and Carl Meyer for review. This is a security fix.
- Loading branch information...
Showing with 154 additions and 27 deletions.