#17869 closed Bug (fixed)
With RemoteUserMiddleware, users keep being logged in after web server stops sending REMOTE_USER headers
Reported by: | Chris Lamb | Owned by: | Preston Holmes |
---|---|---|---|
Component: | contrib.auth | Version: | dev |
Severity: | Release blocker | Keywords: | |
Cc: | enrico@…, krzysiumed@… | Triage Stage: | Accepted |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | yes | UI/UX: | no |
Description
(Forwarded from http://bugs.debian.org/663230)
This was reproduced on 1.2.3-3+squeeze2 but the RemoteUserMiddleware code seems to be the same as the 1.3.1-4 in my development machine.
RemoteUserMiddleware relies on a REMOTE_USER variable to be set by the web server with the current user name, so far so good. However it does not log a person out if the variable disappears during the same browser session.
That may never happen with the usual browsers and auth, but it does happen for other setups like DACS that have a logout feature button.
The error is in this bit of django.contrib.auth.middleware.RemoteUserMiddleware:
try: username = request.META[self.header] except KeyError: # If specified header doesn't exist then return (leaving # request.user set to AnonymousUser by the # AuthenticationMiddleware). return
The except side assumes that if there is no request.META[self.header],
then the user is the anonymous one.
Since I found that it is not always the case, I fixed it adding a simple
"auth.logout(request)" before returning:
try: username = request.META[self.header] except KeyError: # If specified header doesn't exist then return (leaving # request.user set to AnonymousUser by the # AuthenticationMiddleware). # Make sure that if the server did not send any headers, # then we are actually logged out auth.logout(request) return
Attachments (1)
Change History (18)
comment:1 by , 13 years ago
comment:2 by , 13 years ago
Cc: | added |
---|
comment:3 by , 13 years ago
@lamby: good point. I've now changed the site code to only log out if the user is authenticated:
if request.user.is_authenticated(): auth.logout(request)
comment:4 by , 13 years ago
Component: | Uncategorized → contrib.auth |
---|---|
Triage Stage: | Unreviewed → Accepted |
Type: | Uncategorized → Bug |
comment:5 by , 13 years ago
I attached the file including enrico's solution, but I can't say if the solution works properly.
by , 13 years ago
Attachment: | 17869.diff added |
---|
comment:6 by , 13 years ago
Cc: | added |
---|---|
Easy pickings: | set |
Has patch: | set |
comment:7 by , 13 years ago
Needs documentation: | set |
---|---|
Needs tests: | set |
comment:8 by , 13 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:9 by , 13 years ago
Needs documentation: | unset |
---|---|
Needs tests: | unset |
Added a test and documentation.
Please review, see pull request https://github.com/django/django/pull/134
comment:10 by , 13 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Triage Stage: | Accepted → Unreviewed |
comment:12 by , 13 years ago
Resolution: | fixed |
---|---|
Severity: | Normal → Release blocker |
Status: | closed → reopened |
Triage Stage: | Unreviewed → Accepted |
Please don't close tickets if there hasn't been a commit yet. Accepting based on a discussion I had with the OP during DJangoCon and talk with Paul.
comment:13 by , 12 years ago
After 3 months, I just stumbled upon my un-pulled commits regarding this issue.
Time and commits have passed since, so I made a brand new pull request that works with today's fork of Django (Sept 9, 2012)
Please see https://github.com/django/django/pull/365
comment:14 by , 12 years ago
Owner: | changed from | to
---|---|
Status: | reopened → new |
Version: | 1.3 → master |
OK - I'm going to get this ready to commit - I'm adding a check to verify the backend used to authenticate the user.
The docs are vague about it - but I don't see any reason why ModelBackend and RemoteUserBackend can't be able to co-exist.
So I may add one more test that verifies that only users with the matching backend are logged out.
https://github.com/ptone/django/compare/ticket/17869-remoteuser-auth
comment:15 by , 12 years ago
It would be better to use auth.BACKEND_SESSION_KEY
, as in clean_username
, than to redefine BACKEND_SESSION_KEY
in this module.
Otherwise, this looks good to me.
comment:16 by , 12 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
The fix which worked for Enrico is not perfect as calling auth.logout will flush the session, this would break sessions for logged-out users as they are cleared every request.
What we need to do instead is to check that we think the user "should" be logged in (SESSION_KEY in request.session?) and then make a call to logout.