mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-24 06:06:09 +00:00
Code Issues 32 Releases Wiki Activity

Fixed #6941 -- When logging a user out, or when logging in with an existing

Browse Source 
session and a different user id to the current session owner, flush the session
data to avoid leakage. Logging in and moving from an anonymous user to a
validated user still keeps existing session data.

Backwards incompatible if you were assuming sessions persisted past logout.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8343 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Malcolm Tredinnick
2008-08-14 03:58:00 +00:00
parent 5e8efa9a60
commit 97a7dab2b1
3 changed files with 21 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docs/authentication.txt
View File

@@ -426,6 +426,13 @@ use ``django.contrib.auth.logout()`` within your view. It takes an
Note that ``logout()`` doesn't throw any errors if the user wasn't logged in.
**New in Django development version:** When you call ``logout()``, the session
data for the current request is completely cleaned out. All existing data is
removed. This is to prevent another person from using the same web browser to
log in and have access to the previous user's session data. If you want to put
anything into the session that will be available to the user immediately after
logging out, do that *after* calling ``django.contrib.auth.logout()``.
Limiting access to logged-in users
----------------------------------

9
docs/sessions.txt
View File

@@ -117,8 +117,8 @@ It also has these methods:
Delete the current session data from the database and regenerate the
session key value that is sent back to the user in the cookie. This is
used if you want to ensure that the previous session data can't be
accessed again from the user's browser (for example, the standard
``logout()`` method calls it).
accessed again from the user's browser (for example, the
``django.contrib.auth.logout()`` method calls it).
* ``set_test_cookie()``
@@ -230,6 +230,11 @@ This simplistic view logs in a "member" of the site::
pass
return HttpResponse("You're logged out.")
The standard ``django.contrib.auth.logout()`` function actually does a bit
more than this to prevent inadvertent data leakage. It calls
``request.session.flush()``. We are using this example as a demonstration of
how to work with session objects, not as a full ``logout()`` implementation.
Setting test cookies
====================