Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

When logging in, change the session key whilst preserving any existing

sesssion. This means the user will see their session preserved across a login
boundary, but somebody snooping the anonymous session key won't be able to view
the authenticated session data.

This is the final piece of the session key handling changes.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8459 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit c8c159cbbad71deb4d13d6b4e10d4f38817ebdc4 1 parent 2f7d624
Malcolm Tredinnick authored August 21, 2008
13  django/contrib/auth/__init__.py
@@ -53,10 +53,15 @@ def login(request, user):
53 53
     # TODO: It would be nice to support different login methods, like signed cookies.
54 54
     user.last_login = datetime.datetime.now()
55 55
     user.save()
56  
-    if request.session.get('SESSION_KEY', user.id) != user.id:
57  
-        # To avoid reusing another user's session, create a new, empty session
58  
-        # if the existing session corresponds to a different authenticated user.
59  
-        request.session.flush()
  56
+
  57
+    if SESSION_KEY in request.session:
  58
+        if request.session[SESSION_KEY] != user.id:
  59
+            # To avoid reusing another user's session, create a new, empty
  60
+            # session if the existing session corresponds to a different
  61
+            # authenticated user.
  62
+            request.session.flush()
  63
+    else:
  64
+        request.session.cycle_key()
60 65
     request.session[SESSION_KEY] = user.id
61 66
     request.session[BACKEND_SESSION_KEY] = user.backend
62 67
     if hasattr(request, 'user'):
10  django/contrib/sessions/backends/base.py
@@ -239,6 +239,16 @@ def flush(self):
239 239
         self.delete()
240 240
         self.create()
241 241
 
  242
+    def cycle_key(self):
  243
+        """
  244
+        Creates a new session key, whilst retaining the current session data.
  245
+        """
  246
+        data = self._session_cache
  247
+        key = self.session_key
  248
+        self.create()
  249
+        self._session_cache = data
  250
+        self.delete(key)
  251
+
242 252
     # Methods that child classes must implement.
243 253
 
244 254
     def exists(self, session_key):
29  django/contrib/sessions/tests.py
@@ -37,6 +37,15 @@
37 37
 False
38 38
 >>> db_session.modified, db_session.accessed
39 39
 (True, True)
  40
+>>> db_session['a'], db_session['b'] = 'c', 'd'
  41
+>>> db_session.save()
  42
+>>> prev_key = db_session.session_key
  43
+>>> prev_data = db_session.items()
  44
+>>> db_session.cycle_key()
  45
+>>> db_session.session_key == prev_key
  46
+False
  47
+>>> db_session.items() == prev_data
  48
+True
40 49
 
41 50
 # Submitting an invalid session key (either by guessing, or if the db has
42 51
 # removed the key) results in a new key being generated.
@@ -75,6 +84,16 @@
75 84
 False
76 85
 >>> file_session.modified, file_session.accessed
77 86
 (True, True)
  87
+>>> file_session['a'], file_session['b'] = 'c', 'd'
  88
+>>> file_session.save()
  89
+>>> prev_key = file_session.session_key
  90
+>>> prev_data = file_session.items()
  91
+>>> file_session.cycle_key()
  92
+>>> file_session.session_key == prev_key
  93
+False
  94
+>>> file_session.items() == prev_data
  95
+True
  96
+
78 97
 >>> Session.objects.filter(pk=file_session.session_key).delete()
79 98
 >>> file_session = FileSession(file_session.session_key)
80 99
 >>> file_session.save()
@@ -112,6 +131,16 @@
112 131
 False
113 132
 >>> cache_session.modified, cache_session.accessed
114 133
 (True, True)
  134
+>>> cache_session['a'], cache_session['b'] = 'c', 'd'
  135
+>>> cache_session.save()
  136
+>>> prev_key = cache_session.session_key
  137
+>>> prev_data = cache_session.items()
  138
+>>> cache_session.cycle_key()
  139
+>>> cache_session.session_key == prev_key
  140
+False
  141
+>>> cache_session.items() == prev_data
  142
+True
  143
+
115 144
 >>> Session.objects.filter(pk=cache_session.session_key).delete()
116 145
 >>> cache_session = CacheSession(cache_session.session_key)
117 146
 >>> cache_session.save()

0 notes on commit c8c159c

Please sign in to comment.
Something went wrong with that request. Please try again.