1
0
mirror of https://github.com/django/django.git synced 2024-12-23 09:36:06 +00:00

[1.8.x] Fixed incorrect session.flush() in cached_db session backend.

This is a security fix; disclosure to follow shortly.

Thanks Sam Cooke for the report and draft patch.
This commit is contained in:
Tim Graham 2015-05-11 09:58:43 -04:00
parent 2b2a2157d0
commit 31cb25adec
3 changed files with 19 additions and 2 deletions

View File

@ -79,7 +79,7 @@ class SessionStore(DBStore):
"""
self.clear()
self.delete(self.session_key)
self._session_key = ''
self._session_key = None
# At bottom to avoid circular import
from django.contrib.sessions.models import Session # isort:skip

View File

@ -4,7 +4,23 @@ Django 1.8.2 release notes
*Under development*
Django 1.8.2 fixes several bugs in 1.8.1.
Django 1.8.2 fixes a security issue and several bugs in 1.8.1.
Fixed session flushing in the ``cached_db`` backend
===================================================
A change to ``session.flush()`` in the ``cached_db`` session backend in Django
1.8 mistakenly sets the session key to an empty string rather than ``None``. An
empty string is treated as a valid session key and the session cookie is set
accordingly. Any users with an empty string in their session cookie will use
the same session store. ``session.flush()`` is called by
``django.contrib.auth.logout()`` and, more seriously, by
``django.contrib.auth.login()`` when a user switches accounts. If a user is
logged in and logs in again to a different account (without logging out) the
session is flushed to avoid reuse. After the session is flushed (and its
session key becomes ``''``) the account details are set on the session and the
session is saved. Any users with an empty string in their session cookie will
now be logged into that account.
Bugfixes
========

View File

@ -162,6 +162,7 @@ class SessionTestsMixin(object):
self.session.flush()
self.assertFalse(self.session.exists(prev_key))
self.assertNotEqual(self.session.session_key, prev_key)
self.assertIsNone(self.session.session_key)
self.assertTrue(self.session.modified)
self.assertTrue(self.session.accessed)