[Django] #10265: _make_token_with_timestamp inconsistent based on User.last_login

Sat, 14 Feb 2009 08:41:42 -0800 

#10265: _make_token_with_timestamp inconsistent based on User.last_login
------------------------------+---------------------------------------------
 Reporter:  felix             |       Owner:  nobody    
   Status:  new               |   Milestone:            
Component:  Contrib apps      |     Version:  1.0       
 Keywords:  auth token login  |       Stage:  Unreviewed
Has_patch:  1                 |  
------------------------------+---------------------------------------------
 default token generator makes inconsistent tokens depending on if the user
 has been loaded from the db or has just been created during this response

 the difference is that a User just created has a last_login with
 microseconds set, but when reloaded from the db it does not and the token
 generator uses unicode(user.last_login) in the hash

 >>> from django.contrib.auth.models import User
 >>> u1 = User.objects.create_user("username","[email protected]","password")
 >>> u1.last_login
 datetime.datetime(2009, 2, 14, 16, 5, 3, 638275)
 >>> unicode(u1.last_login)
 u'2009-02-14 16:05:03.638275'

 >>> u2 = User.objects.all()[0]
 >>> u2
 <User: crucial>
 >>> u2.last_login
 datetime.datetime(2009, 2, 14, 15, 47, 20)
 >>> unicode(u2.last_login)
 u'2009-02-14 15:47:20'

 (as an aside, I don't think that a user should be created with a last
 login of now.
 a new user has never logged in.)

 # user just made, generate token:
 making token 3  2009-02-14 16:24:33.632380 2966
 2ae-c3c68b86d5148e768353

 # user comes to site, token fails equality test in check_token
 making token 3  2009-02-14 16:24:33 2966
 2ae-e8d746b5603f6fae0fd5

 the fix is to explicitly format user.last_login without microsecond

 this fix should not break any currently generated tokens out there in
 email land

-- 
Ticket URL: <http://code.djangoproject.com/ticket/10265>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to 
[email protected]
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to