I am setting up a Django based web application for a client. I have a test setup on my network at home. I am using Django 1.0.2, Apache 2.2.11, PostgreSQL 8.3.7.1, Python 2.6.2, mod_wsgi, psycopg. The app is very simple. Users can log on, file in a few fields and get a code number for activating software installed from a CD.. The app keeps a record of the fields, the date and the generated code number. Another page lets users deinstall the software and have this noted in the database so they can install it again (and get a different code number). There is a page for an admin person to clear any active entries in the database for a given software CD serial number. Finally there is the admin site for addding users, group and permissions.
I want the admin site and the clear entries pages to be unavailable to ordinary users. On the views.py function for the clear entries url, I used the login_required decorator. This sometimes works, forcing the user to login.However sometimes it acts as if the user is already logged in, so a user without permissions, or even without authenticating, can see the clear entries page. This happens even if I close all browsers (I am mostly using Firefox but it happens with IE6 as well). The most surprising thing is it happened when I created a new user using the admin site, logged in as the super user on computer. I then logged out, and logged in on the same computer as the new user. I logged out. Then I went to another computer, where the new user had never been logged in from and tried to access the protected page. It let me saying I was the new user! It seems that session data from one computer is being picked up by another. I watched the session table (using PgAdminIII) and I noticed that the number of rows does not change when a manual logout is done. This behaviour happens using Apache and using manage.py runserver. I am using the admin login/logout stuff - that is I haven't rolled my own login functions and templates (I did try this but it didn't help). At the moment I am using Apache to stop any accesses from outside the intranet accessing the pages I want to protect but this is not always going to be satisfactory. The Django server and PostgreSQL are running on a Win XP home laptop. I am testing using Firefox onboth a Linux system and on a XP Pro system and also with IE6 on a Win 2000 Pro system. And also occasionally IE6 on the Django server as well. Anyone got any idea what is going wrong? Cheers Steve McCusker --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
