Refs #27468 -- Removed support for the pre-Django 3.1 user sessions.

Per deprecation timeline.
2025-10-31 09:41:08 +00:00 · 2021-01-12 20:31:36 +01:00
parent d32a232fe9
commit 6b4941dd57
5 changed files with 6 additions and 44 deletions
--- a/django/contrib/auth/init.py
+++ b/django/contrib/auth/init.py
@@ -190,13 +190,8 @@ def get_user(request):
                    user.get_session_auth_hash()
                )
                if not session_hash_verified:
-                    if not (
-                        session_hash and
-                        hasattr(user, '_legacy_get_session_auth_hash') and
-                        constant_time_compare(session_hash, user._legacy_get_session_auth_hash())
-                    ):
-                        request.session.flush()
-                        user = None
+                    request.session.flush()
+                    user = None

    return user or AnonymousUser()

--- a/django/contrib/auth/base_user.py
+++ b/django/contrib/auth/base_user.py
@@ -121,11 +121,6 @@ class AbstractBaseUser(models.Model):
        """
        return is_password_usable(self.password)

-    def _legacy_get_session_auth_hash(self):
-        # RemovedInDjango40Warning: pre-Django 3.1 hashes will be invalid.
-        key_salt = 'django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash'
-        return salted_hmac(key_salt, self.password, algorithm='sha1').hexdigest()
-
    def get_session_auth_hash(self):
        """
        Return an HMAC of the password field.
--- a/docs/releases/4.0.txt
+++ b/docs/releases/4.0.txt
@@ -292,3 +292,6 @@ to remove usage of these features.
 * Support for the pre-Django 3.1 ``django.core.signing.dumps()`` signatures
  (encoded with the SHA-1 algorithm) in ``django.core.signing.loads()`` is
  removed.
+
+* Support for the pre-Django 3.1 user sessions (that use the SHA-1 algorithm)
+  is removed.
--- a/tests/auth_tests/test_middleware.py
+++ b/tests/auth_tests/test_middleware.py
@@ -24,16 +24,6 @@ class TestAuthenticationMiddleware(TestCase):
        self.assertIsNotNone(self.request.user)
        self.assertFalse(self.request.user.is_anonymous)

-    def test_no_password_change_does_not_invalidate_legacy_session(self):
-        # RemovedInDjango40Warning: pre-Django 3.1 hashes will be invalid.
-        session = self.client.session
-        session[HASH_SESSION_KEY] = self.user._legacy_get_session_auth_hash()
-        session.save()
-        self.request.session = session
-        self.middleware(self.request)
-        self.assertIsNotNone(self.request.user)
-        self.assertFalse(self.request.user.is_anonymous)
-
    @ignore_warnings(category=RemovedInDjango40Warning)
    def test_session_default_hashing_algorithm(self):
        hash_session = self.client.session[HASH_SESSION_KEY]
--- a/tests/auth_tests/test_views.py
+++ b/tests/auth_tests/test_views.py
@@ -9,7 +9,7 @@ from django.apps import apps
 from django.conf import settings
 from django.contrib.admin.models import LogEntry
 from django.contrib.auth import (
-    BACKEND_SESSION_KEY, HASH_SESSION_KEY, REDIRECT_FIELD_NAME, SESSION_KEY,
+    BACKEND_SESSION_KEY, REDIRECT_FIELD_NAME, SESSION_KEY,
 )
 from django.contrib.auth.forms import (
    AuthenticationForm, PasswordChangeForm, SetPasswordForm,
@@ -710,27 +710,6 @@ class LoginTest(AuthViewsTestCase):
        self.login(password='foobar')
        self.assertNotEqual(original_session_key, self.client.session.session_key)

-    def test_legacy_session_key_flushed_on_login(self):
-        # RemovedInDjango40Warning.
-        user = User.objects.get(username='testclient')
-        engine = import_module(settings.SESSION_ENGINE)
-        session = engine.SessionStore()
-        session[SESSION_KEY] = user.id
-        session[HASH_SESSION_KEY] = user._legacy_get_session_auth_hash()
-        session.save()
-        original_session_key = session.session_key
-        self.client.cookies[settings.SESSION_COOKIE_NAME] = original_session_key
-        # Legacy session key is flushed on login.
-        self.login()
-        self.assertNotEqual(original_session_key, self.client.session.session_key)
-        # Legacy session key is flushed after a password change.
-        user.set_password('password_2')
-        user.save()
-        original_session_key = session.session_key
-        self.client.cookies[settings.SESSION_COOKIE_NAME] = original_session_key
-        self.login(password='password_2')
-        self.assertNotEqual(original_session_key, self.client.session.session_key)
-
    def test_login_session_without_hash_session_key(self):
        """
        Session without django.contrib.auth.HASH_SESSION_KEY should login