Fixed DoS possiblity in contrib.auth.views.logout()

Thanks Florian Apolloner and Carl Meyer for review. This is a security fix.
2025-10-23 21:59:11 +00:00 · 2015-08-05 16:51:42 -04:00
parent b0ab74dfca
commit 8cc41ce7a7
5 changed files with 67 additions and 1 deletions
--- a/tests/sessions_tests/tests.py
+++ b/tests/sessions_tests/tests.py
@@ -678,6 +678,23 @@ class SessionMiddlewareTests(TestCase):
            str(response.cookies[settings.SESSION_COOKIE_NAME])
        )

+    def test_flush_empty_without_session_cookie_doesnt_set_cookie(self):
+        request = RequestFactory().get('/')
+        response = HttpResponse('Session test')
+        middleware = SessionMiddleware()
+
+        # Simulate a request that ends the session
+        middleware.process_request(request)
+        request.session.flush()
+
+        # Handle the response through the middleware
+        response = middleware.process_response(request, response)
+
+        # A cookie should not be set.
+        self.assertEqual(response.cookies, {})
+        # The session is accessed so "Vary: Cookie" should be set.
+        self.assertEqual(response['Vary'], 'Cookie')
+

 # Don't need DB flushing for these tests, so can use unittest.TestCase as base class
 class CookieSessionTests(SessionTestsMixin, unittest.TestCase):