session_security breaks "End Session" on the current session when using user_sessions #89
Comments
|
As a fix, I propose enhancing the SESSION_SECURITY_PASSIVE_URLS parameter to understand URLs with parameterized arguments, instead of just static strings. The URLs in this instance look like this: http://127.0.0.1:8000/account/sessions/5srnkbv9rczmud7v7zp0oi8t76b6fgwm/delete/ Where the 3rd entry in the path is the session ID. PR coming soon. |
… session when using user_sessions Add a new parameter, SESSION_SECURITY_PASSIVE_URL_NAMES, which takes a list of URL names to skip when performing session activity updates. This provides an easy method for parameterized URLs to be skipped. The existing SESSION_SECURITY_PASSIVE_URLS parameter continues to work with static path names. For example, if you have the following URL from the user_sessions app: /account/sessions/<session_id>/delete/ You can skip the activity tracker by adding the following to settings.py: SESSION_SECURITY_PASSIVE_URL_NAMES = ['session_delete'] This currently only handles direct URL names and can be updated in the future to handled fully namespaced and instanced URL names.
|
The original issue for which I submitted this patch has been fixed in the user_sessions module. However, I think this is still the better way to do PASSIVE URLS (DRY). |
|
Hi ! Thanks a lot for your contribution ! Would this work for you ? |
|
Hey @jpic I don't think reverse_lazy will work here, because the URL is parameterized with the session token. http://127.0.0.1:8000/account/sessions/5srnkbv9rczmud7v7zp0oi8t76b6fgwm/delete/ There's no way for us to pass this dynamic portion of the URL (5srnkbv9rczmud7v7zp0oi8t76b6fgwm) into the static SESSION_SECURITY_PASSIVE_URLS parameter in the existing code. A quick attempt returns a NoReverseMatch exception. |
|
Hi @sdann Sounds fair, I think we'd like to merge this, care to add a unit tests or two and a bit of doc for the new setting ? Thanks |
|
Indeed. Was on vacation last week. I'll try to add some testing and docs to the PR by end of the week. |
Fix yourlabs#89: session_security breaks "End Session"
Fix yourlabs#89: session_security breaks "End Session"
The middleware
user_sessions.middleware.SessionMiddleware
Provides a listing of a user's sessions across various clients. The user can then choose to "End Session" on any of their existing sessions, including their current session they are logged in as.
When using the user_sessions middleware alone, clicking "End Session" will behave the same way as "Logout". Unfortunately, when combined with the session_security middleware, clicking "End Session" on the current session has no effect.
With some pdb tracing, I've figured out the following rough series of events:
The user is redirected to the same Session List page, with their current session still active.
The text was updated successfully, but these errors were encountered: