Opened 11 years ago

Last modified 7 years ago

#21608 closed Bug

Logged out sessions are resurrected by concurrent requests — at Initial Version

Reported by: Jonas Borgström Owned by: nobody
Component: contrib.sessions Version: 1.9
Severity: Normal Keywords:
Cc: m17.admin@…, tlt@… Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

  1. User logs in
  2. User loads a slow page in separate tab or as an ajax request
  3. User logs out before request in step 2 completes. This will delete the session from the db

Expected behavior

User/session stays logged out since the user explicitly logged out and the session row was delete in step 3.

Actual behavior

The previously deleted session is re-inserted into the database when the request from step 2 completes. So the previously logged out user is now logged in again.

Change History (1)

by Jonas Borgström, 11 years ago

Attachment: session_fix.patch added

Proposed fix (against django 1.4)

Note: See TracTickets for help on using tickets.
Back to Top