Session logout behaviour

Thu, 29 May 2008 03:00:01 -0700 

>From http://www.djangoproject.com/documentation/sessions/ it follows,

Clearing the session table
=================
...
To understand this problem, consider what happens when a user uses a
session. When a user logs in, Django adds a row to the django_session
database table. Django updates this row each time the session data
changes. If the user logs out manually, Django deletes the row. But if
the user does not log out, the row never gets deleted.

But in actual fact Django never deletes the row on logout.

In trunk/django/contrib/auth/__init__.py

---8<------------------------------------------------------
def logout(request):
    """
    Remove the authenticated user's ID from the request.
    """
    try:
        del request.session[SESSION_KEY]
    except KeyError:
        pass
    try:
        del request.session[BACKEND_SESSION_KEY]
    except KeyError:
        pass
    if hasattr(request, 'user'):
        from django.contrib.auth.models import AnonymousUser
        request.user = AnonymousUser()
---8<------------------------------------------------------

It only deletes '_auth_user_id' and '_auth_user_backend' from the
session, but keep the rest in tact.
If a new user logs in with this browser (without closing it first and
thus deleting the session cookie)
the session middleware takes the session cookie and instantiates a
SessionStore with it.

request.session = engine.SessionStore(session_key)

This effectivly gives the new user the previous user's (polluted) session.

An easy fix would be to actually delete the row as stated in the documentation.
---8<------------------------------------------------------
from django.conf import settings

def logout(request):
    try:
        request.session.delete(request.COOKIES[settings.SESSION_COOKIE_NAME])
    except KeyError:
        pass
...
---8<------------------------------------------------------

My questions are:

* Is there a good reason why the sessions are not cleared at manual logout ?
* Is there an alternative method of dealing with this situation,
polluted sessions ?
* Is this a bug, should I file a ticket ?

Regards Louis.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to