[Django] #17869: With RemoteUserMiddleware, users keep being logged in after web server stops sending REMOTE_USER headers

[Django]

#17869: With RemoteUserMiddleware, users keep being logged in after web server
stops sending REMOTE_USER headers
-------------------------------+--------------------
     Reporter:  lamby          |      Owner:  nobody
         Type:  Uncategorized  |     Status:  new
    Component:  Uncategorized  |    Version:  1.3
     Severity:  Normal         |   Keywords:
 Triage Stage:  Unreviewed     |  Has patch:  0
Easy pickings:  0              |      UI/UX:  0
-------------------------------+--------------------
 (Forwarded from http://bugs.debian.org/663230)

 This was reproduced on 1.2.3-3+squeeze2 but the RemoteUserMiddleware code
 seems to be the same as the 1.3.1-4 in my development machine.

 RemoteUserMiddleware relies on a REMOTE_USER variable to be set by the web
 server with the current user name, so far so good. However it does not log
 a person out if the variable disappears during the same browser session.

 That may never happen with the usual browsers and auth, but it does happen
 for other setups like DACS that have a logout feature button.

 The error is in this bit of
 django.contrib.auth.middleware.RemoteUserMiddleware:

 {{{
         try:
             username = request.META[self.header]
         except KeyError:
             # If specified header doesn't exist then return (leaving
             # request.user set to AnonymousUser by the
             # AuthenticationMiddleware).
             return
 }}}

 The except side assumes that if there is no request.META[self.header],
 then the user is the anonymous one.

 Since I found that it is not always the case, I fixed it adding a simple
 "auth.logout(request)" before returning:

 {{{
         try:
             username = request.META[self.header]
         except KeyError:
             # If specified header doesn't exist then return (leaving
             # request.user set to AnonymousUser by the
             # AuthenticationMiddleware).

             # Make sure that if the server did not send any headers,
             # then we are actually logged out
             auth.logout(request)
             return
 }}}

-- 
Ticket URL: <https://code.djangoproject.com/ticket/17869>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.