Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #6941 -- When logging a user out, or when logging in with an ex…

…isting

session and a different user id to the current session owner, flush the session
data to avoid leakage. Logging in and moving from an anonymous user to a
validated user still keeps existing session data.

Backwards incompatible if you were assuming sessions persisted past logout.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8343 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 97a7dab2b19b87652bc15c5db4cb06cd7011fe4d 1 parent 5e8efa9
Malcolm Tredinnick authored August 14, 2008
16  django/contrib/auth/__init__.py
@@ -53,6 +53,10 @@ def login(request, user):
53 53
     # TODO: It would be nice to support different login methods, like signed cookies.
54 54
     user.last_login = datetime.datetime.now()
55 55
     user.save()
  56
+    if request.session.get('SESSION_KEY', user.id) != user.id:
  57
+        # To avoid reusing another user's session, create a new, empty session
  58
+        # if the existing session corresponds to a different authenticated user.
  59
+        request.session.flush()
56 60
     request.session[SESSION_KEY] = user.id
57 61
     request.session[BACKEND_SESSION_KEY] = user.backend
58 62
     if hasattr(request, 'user'):
@@ -60,16 +64,10 @@ def login(request, user):
60 64
 
61 65
 def logout(request):
62 66
     """
63  
-    Remove the authenticated user's ID from the request.
  67
+    Removes the authenticated user's ID from the request and flushes their
  68
+    session data.
64 69
     """
65  
-    try:
66  
-        del request.session[SESSION_KEY]
67  
-    except KeyError:
68  
-        pass
69  
-    try:
70  
-        del request.session[BACKEND_SESSION_KEY]
71  
-    except KeyError:
72  
-        pass
  70
+    request.session.flush()
73 71
     if hasattr(request, 'user'):
74 72
         from django.contrib.auth.models import AnonymousUser
75 73
         request.user = AnonymousUser()
7  docs/authentication.txt
@@ -426,6 +426,13 @@ use ``django.contrib.auth.logout()`` within your view. It takes an
426 426
 
427 427
 Note that ``logout()`` doesn't throw any errors if the user wasn't logged in.
428 428
 
  429
+**New in Django development version:** When you call ``logout()``, the session
  430
+data for the current request is completely cleaned out. All existing data is
  431
+removed. This is to prevent another person from using the same web browser to
  432
+log in and have access to the previous user's session data. If you want to put
  433
+anything into the session that will be available to the user immediately after
  434
+logging out, do that *after* calling ``django.contrib.auth.logout()``.
  435
+
429 436
 Limiting access to logged-in users
430 437
 ----------------------------------
431 438
 
9  docs/sessions.txt
@@ -117,8 +117,8 @@ It also has these methods:
117 117
       Delete the current session data from the database and regenerate the
118 118
       session key value that is sent back to the user in the cookie. This is
119 119
       used if you want to ensure that the previous session data can't be
120  
-      accessed again from the user's browser (for example, the standard
121  
-      ``logout()`` method calls it).
  120
+      accessed again from the user's browser (for example, the
  121
+      ``django.contrib.auth.logout()`` method calls it).
122 122
 
123 123
     * ``set_test_cookie()``
124 124
 
@@ -230,6 +230,11 @@ This simplistic view logs in a "member" of the site::
230 230
             pass
231 231
         return HttpResponse("You're logged out.")
232 232
 
  233
+The standard ``django.contrib.auth.logout()`` function actually does a bit
  234
+more than this to prevent inadvertent data leakage. It calls
  235
+``request.session.flush()``. We are using this example as a demonstration of
  236
+how to work with session objects, not as a full ``logout()`` implementation.
  237
+
233 238
 Setting test cookies
234 239
 ====================
235 240
 

0 notes on commit 97a7dab

Please sign in to comment.
Something went wrong with that request. Please try again.