mirror of
https://github.com/django/django.git
synced 2025-10-17 13:58:24 +00:00
Fixed #6941 -- When logging a user out, or when logging in with an existing
session and a different user id to the current session owner, flush the session data to avoid leakage. Logging in and moving from an anonymous user to a validated user still keeps existing session data. Backwards incompatible if you were assuming sessions persisted past logout. git-svn-id: http://code.djangoproject.com/svn/django/trunk@8343 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
5e8efa9a60
commit
97a7dab2b1
3 changed files with 21 additions and 11 deletions
|
@ -426,6 +426,13 @@ use ``django.contrib.auth.logout()`` within your view. It takes an
|
|||
|
||||
Note that ``logout()`` doesn't throw any errors if the user wasn't logged in.
|
||||
|
||||
**New in Django development version:** When you call ``logout()``, the session
|
||||
data for the current request is completely cleaned out. All existing data is
|
||||
removed. This is to prevent another person from using the same web browser to
|
||||
log in and have access to the previous user's session data. If you want to put
|
||||
anything into the session that will be available to the user immediately after
|
||||
logging out, do that *after* calling ``django.contrib.auth.logout()``.
|
||||
|
||||
Limiting access to logged-in users
|
||||
----------------------------------
|
||||
|
||||
|
|
|
@ -117,8 +117,8 @@ It also has these methods:
|
|||
Delete the current session data from the database and regenerate the
|
||||
session key value that is sent back to the user in the cookie. This is
|
||||
used if you want to ensure that the previous session data can't be
|
||||
accessed again from the user's browser (for example, the standard
|
||||
``logout()`` method calls it).
|
||||
accessed again from the user's browser (for example, the
|
||||
``django.contrib.auth.logout()`` method calls it).
|
||||
|
||||
* ``set_test_cookie()``
|
||||
|
||||
|
@ -230,6 +230,11 @@ This simplistic view logs in a "member" of the site::
|
|||
pass
|
||||
return HttpResponse("You're logged out.")
|
||||
|
||||
The standard ``django.contrib.auth.logout()`` function actually does a bit
|
||||
more than this to prevent inadvertent data leakage. It calls
|
||||
``request.session.flush()``. We are using this example as a demonstration of
|
||||
how to work with session objects, not as a full ``logout()`` implementation.
|
||||
|
||||
Setting test cookies
|
||||
====================
|
||||
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue