mirror of
				https://github.com/django/django.git
				synced 2025-10-26 15:16:09 +00:00 
			
		
		
		
	[1.8.x] Fixed incorrect session.flush() in cached_db session backend.
This is a security fix; disclosure to follow shortly. Thanks Sam Cooke for the report and draft patch.
This commit is contained in:
		| @@ -79,7 +79,7 @@ class SessionStore(DBStore): | |||||||
|         """ |         """ | ||||||
|         self.clear() |         self.clear() | ||||||
|         self.delete(self.session_key) |         self.delete(self.session_key) | ||||||
|         self._session_key = '' |         self._session_key = None | ||||||
|  |  | ||||||
| # At bottom to avoid circular import | # At bottom to avoid circular import | ||||||
| from django.contrib.sessions.models import Session  # isort:skip | from django.contrib.sessions.models import Session  # isort:skip | ||||||
|   | |||||||
| @@ -4,7 +4,23 @@ Django 1.8.2 release notes | |||||||
|  |  | ||||||
| *Under development* | *Under development* | ||||||
|  |  | ||||||
| Django 1.8.2 fixes several bugs in 1.8.1. | Django 1.8.2 fixes a security issue and several bugs in 1.8.1. | ||||||
|  |  | ||||||
|  | Fixed session flushing in the ``cached_db`` backend | ||||||
|  | =================================================== | ||||||
|  |  | ||||||
|  | A change to ``session.flush()`` in the ``cached_db`` session backend in Django | ||||||
|  | 1.8 mistakenly sets the session key to an empty string rather than ``None``. An | ||||||
|  | empty string is treated as a valid session key and the session cookie is set | ||||||
|  | accordingly. Any users with an empty string in their session cookie will use | ||||||
|  | the same session store. ``session.flush()`` is called by | ||||||
|  | ``django.contrib.auth.logout()`` and, more seriously, by | ||||||
|  | ``django.contrib.auth.login()`` when a user switches accounts. If a user is | ||||||
|  | logged in and logs in again to a different account (without logging out) the | ||||||
|  | session is flushed to avoid reuse. After the session is flushed (and its | ||||||
|  | session key becomes ``''``) the account details are set on the session and the | ||||||
|  | session is saved. Any users with an empty string in their session cookie will | ||||||
|  | now be logged into that account. | ||||||
|  |  | ||||||
| Bugfixes | Bugfixes | ||||||
| ======== | ======== | ||||||
|   | |||||||
| @@ -162,6 +162,7 @@ class SessionTestsMixin(object): | |||||||
|         self.session.flush() |         self.session.flush() | ||||||
|         self.assertFalse(self.session.exists(prev_key)) |         self.assertFalse(self.session.exists(prev_key)) | ||||||
|         self.assertNotEqual(self.session.session_key, prev_key) |         self.assertNotEqual(self.session.session_key, prev_key) | ||||||
|  |         self.assertIsNone(self.session.session_key) | ||||||
|         self.assertTrue(self.session.modified) |         self.assertTrue(self.session.modified) | ||||||
|         self.assertTrue(self.session.accessed) |         self.assertTrue(self.session.accessed) | ||||||
|  |  | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user