Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

[1.5.x] Fixed #17869 - force logout when REMOTE_USER header disappears

If the current sessions user was logged in via a remote user backend log out
the user if REMOTE_USER header not available - otherwise leave it to other auth
middleware to install the AnonymousUser.

Thanks to Sylvain Bouchard for the initial patch and ticket maintenance.
  • Loading branch information...
commit e8269a6729150d26a5497d5eb51226ca19fa21b9 1 parent 402a986
@ptone ptone authored
17 django/contrib/auth/
@@ -1,4 +1,6 @@
from django.contrib import auth
+from django.contrib.auth import load_backend
+from django.contrib.auth.backends import RemoteUserBackend
from django.core.exceptions import ImproperlyConfigured
from django.utils.functional import SimpleLazyObject
@@ -47,9 +49,18 @@ def process_request(self, request):
username = request.META[self.header]
except KeyError:
- # If specified header doesn't exist then return (leaving
- # request.user set to AnonymousUser by the
- # AuthenticationMiddleware).
+ # If specified header doesn't exist then remove any existing
+ # authenticated remote-user, or return (leaving request.user set to
+ # AnonymousUser by the AuthenticationMiddleware).
+ if request.user.is_authenticated():
+ try:
+ stored_backend = load_backend(request.session.get(
+ if isinstance(stored_backend, RemoteUserBackend):
+ auth.logout(request)
+ except ImproperlyConfigured as e:
@charettes Collaborator

Minor issue: e is unused here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+ # backend failed to load
+ auth.logout(request)
# If the user is already authenticated and that user is the user we are
# getting passed in the headers, then the correct user is already
25 django/contrib/auth/tests/
@@ -1,8 +1,9 @@
from datetime import datetime
from django.conf import settings
+from django.contrib.auth import authenticate
from django.contrib.auth.backends import RemoteUserBackend
-from django.contrib.auth.models import User
+from django.contrib.auth.models import User, AnonymousUser
from django.contrib.auth.tests.utils import skipIfCustomUser
from django.test import TestCase
from django.utils import timezone
@@ -23,7 +24,7 @@ def setUp(self):
self.curr_middleware = settings.MIDDLEWARE_CLASSES
self.curr_auth = settings.AUTHENTICATION_BACKENDS
settings.MIDDLEWARE_CLASSES += (self.middleware,)
- settings.AUTHENTICATION_BACKENDS = (self.backend,)
+ settings.AUTHENTICATION_BACKENDS += (self.backend,)
def test_no_remote_user(self):
@@ -97,6 +98,26 @@ def test_last_login(self):
response = self.client.get('/remote_user/', REMOTE_USER=self.known_user)
self.assertEqual(default_login, response.context['user'].last_login)
+ def test_header_disappears(self):
+ """
+ Tests that a logged in user is logged out automatically when
+ the REMOTE_USER header disappears during the same browser session.
+ """
+ User.objects.create(username='knownuser')
+ # Known user authenticates
+ response = self.client.get('/remote_user/', REMOTE_USER=self.known_user)
+ self.assertEqual(response.context['user'].username, 'knownuser')
+ # During the session, the REMOTE_USER header disappears. Should trigger logout.
+ response = self.client.get('/remote_user/')
+ self.assertEqual(response.context['user'].is_anonymous(), True)
+ # verify the remoteuser middleware will not remove a user
+ # authenticated via another backend
+ User.objects.create_user(username='modeluser', password='foo')
+ self.client.login(username='modeluser', password='foo')
+ authenticate(username='modeluser', password='foo')
+ response = self.client.get('/remote_user/')
+ self.assertEqual(response.context['user'].username, 'modeluser')
def tearDown(self):
"""Restores settings to avoid breaking other tests."""
settings.MIDDLEWARE_CLASSES = self.curr_middleware
3  docs/releases/1.5.txt
@@ -296,6 +296,9 @@ Django 1.5 also includes several smaller improvements worth noting:
you to test equality for XML content at a semantic level, without caring for
syntax differences (spaces, attribute order, etc.).
+* RemoteUserMiddleware now forces logout when the REMOTE_USER header
+ disappears during the same browser session.
Backwards incompatible changes in 1.5

Minor issue: e is unused here.

Please sign in to comment.
Something went wrong with that request. Please try again.