Author: mtredinnick
Date: 2008-08-21 08:54:53 -0500 (Thu, 21 Aug 2008)
New Revision: 8459
Modified:
django/trunk/django/contrib/auth/__init__.py
django/trunk/django/contrib/sessions/backends/base.py
django/trunk/django/contrib/sessions/tests.py
Log:
When logging in, change the session key whilst preserving any existing
sesssion. This means the user will see their session preserved across a login
boundary, but somebody snooping the anonymous session key won't be able to view
the authenticated session data.
This is the final piece of the session key handling changes.
Modified: django/trunk/django/contrib/auth/__init__.py
===================================================================
--- django/trunk/django/contrib/auth/__init__.py 2008-08-21 07:28:21 UTC
(rev 8458)
+++ django/trunk/django/contrib/auth/__init__.py 2008-08-21 13:54:53 UTC
(rev 8459)
@@ -53,10 +53,15 @@
# TODO: It would be nice to support different login methods, like signed
cookies.
user.last_login = datetime.datetime.now()
user.save()
- if request.session.get('SESSION_KEY', user.id) != user.id:
- # To avoid reusing another user's session, create a new, empty session
- # if the existing session corresponds to a different authenticated
user.
- request.session.flush()
+
+ if SESSION_KEY in request.session:
+ if request.session[SESSION_KEY] != user.id:
+ # To avoid reusing another user's session, create a new, empty
+ # session if the existing session corresponds to a different
+ # authenticated user.
+ request.session.flush()
+ else:
+ request.session.cycle_key()
request.session[SESSION_KEY] = user.id
request.session[BACKEND_SESSION_KEY] = user.backend
if hasattr(request, 'user'):
Modified: django/trunk/django/contrib/sessions/backends/base.py
===================================================================
--- django/trunk/django/contrib/sessions/backends/base.py 2008-08-21
07:28:21 UTC (rev 8458)
+++ django/trunk/django/contrib/sessions/backends/base.py 2008-08-21
13:54:53 UTC (rev 8459)
@@ -239,6 +239,16 @@
self.delete()
self.create()
+ def cycle_key(self):
+ """
+ Creates a new session key, whilst retaining the current session data.
+ """
+ data = self._session_cache
+ key = self.session_key
+ self.create()
+ self._session_cache = data
+ self.delete(key)
+
# Methods that child classes must implement.
def exists(self, session_key):
Modified: django/trunk/django/contrib/sessions/tests.py
===================================================================
--- django/trunk/django/contrib/sessions/tests.py 2008-08-21 07:28:21 UTC
(rev 8458)
+++ django/trunk/django/contrib/sessions/tests.py 2008-08-21 13:54:53 UTC
(rev 8459)
@@ -37,6 +37,15 @@
False
>>> db_session.modified, db_session.accessed
(True, True)
+>>> db_session['a'], db_session['b'] = 'c', 'd'
+>>> db_session.save()
+>>> prev_key = db_session.session_key
+>>> prev_data = db_session.items()
+>>> db_session.cycle_key()
+>>> db_session.session_key == prev_key
+False
+>>> db_session.items() == prev_data
+True
# Submitting an invalid session key (either by guessing, or if the db has
# removed the key) results in a new key being generated.
@@ -75,6 +84,16 @@
False
>>> file_session.modified, file_session.accessed
(True, True)
+>>> file_session['a'], file_session['b'] = 'c', 'd'
+>>> file_session.save()
+>>> prev_key = file_session.session_key
+>>> prev_data = file_session.items()
+>>> file_session.cycle_key()
+>>> file_session.session_key == prev_key
+False
+>>> file_session.items() == prev_data
+True
+
>>> Session.objects.filter(pk=file_session.session_key).delete()
>>> file_session = FileSession(file_session.session_key)
>>> file_session.save()
@@ -112,6 +131,16 @@
False
>>> cache_session.modified, cache_session.accessed
(True, True)
+>>> cache_session['a'], cache_session['b'] = 'c', 'd'
+>>> cache_session.save()
+>>> prev_key = cache_session.session_key
+>>> prev_data = cache_session.items()
+>>> cache_session.cycle_key()
+>>> cache_session.session_key == prev_key
+False
+>>> cache_session.items() == prev_data
+True
+
>>> Session.objects.filter(pk=cache_session.session_key).delete()
>>> cache_session = CacheSession(cache_session.session_key)
>>> cache_session.save()
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
