mirror of
https://github.com/django/django.git
synced 2024-12-23 01:25:58 +00:00
Fixed #27009 -- Made update_session_auth_hash() rotate the session key.
This commit is contained in:
parent
937d752d3d
commit
7549eb0004
@ -215,6 +215,7 @@ def update_session_auth_hash(request, user):
|
||||
appropriately to prevent a password change from logging out the session
|
||||
from which the password was changed.
|
||||
"""
|
||||
request.session.cycle_key()
|
||||
if hasattr(user, 'get_session_auth_hash') and request.user == user:
|
||||
request.session[HASH_SESSION_KEY] = user.get_session_auth_hash()
|
||||
|
||||
|
@ -84,6 +84,9 @@ Minor features
|
||||
:class:`~django.contrib.auth.views.PasswordResetConfirmView` allows
|
||||
automatically logging in a user after a successful password reset.
|
||||
|
||||
* :func:`~django.contrib.auth.update_session_auth_hash` now rotates the session
|
||||
key to allow a password change to invalidate stolen session cookies.
|
||||
|
||||
:mod:`django.contrib.contenttypes`
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
|
@ -841,16 +841,16 @@ The default password change views included with Django,
|
||||
the session with the new password hash so that a user changing their own
|
||||
password won't log themselves out. If you have a custom password change view
|
||||
and wish to have similar behavior, use the :func:`update_session_auth_hash`
|
||||
function. In this case, however, if a user also wants to invalidate the session
|
||||
from which they're changing their password (for example, if they believe the
|
||||
session cookie on their machine was stolen), then they also need to log out
|
||||
that session.
|
||||
function.
|
||||
|
||||
.. function:: update_session_auth_hash(request, user)
|
||||
|
||||
This function takes the current request and the updated user object from
|
||||
which the new session hash will be derived and updates the session hash
|
||||
appropriately. Example usage::
|
||||
appropriately. It also rotates the session key so that a stolen session
|
||||
cookie will be invalidated.
|
||||
|
||||
Example usage::
|
||||
|
||||
from django.contrib.auth import update_session_auth_hash
|
||||
|
||||
@ -863,6 +863,10 @@ that session.
|
||||
else:
|
||||
...
|
||||
|
||||
.. versionchanged:: 1.11
|
||||
|
||||
Rotating of the session key was added.
|
||||
|
||||
.. note::
|
||||
|
||||
Since
|
||||
|
@ -479,6 +479,7 @@ class SessionAuthenticationTests(AuthViewsTestCase):
|
||||
session auth hash after a password change so the session isn't logged out.
|
||||
"""
|
||||
self.login()
|
||||
original_session_key = self.client.session.session_key
|
||||
response = self.client.post('/password_change/', {
|
||||
'old_password': 'password',
|
||||
'new_password1': 'password1',
|
||||
@ -486,6 +487,8 @@ class SessionAuthenticationTests(AuthViewsTestCase):
|
||||
})
|
||||
# if the hash isn't updated, retrieving the redirection page will fail.
|
||||
self.assertRedirects(response, '/password_change/done/')
|
||||
# The session key is rotated.
|
||||
self.assertNotEqual(original_session_key, self.client.session.session_key)
|
||||
|
||||
|
||||
class LoginTest(AuthViewsTestCase):
|
||||
|
Loading…
Reference in New Issue
Block a user