Comments (5)
That's quite a debug session in order to find that! I've made a minor change in 317e337 to logout a user when he's trying to delete his current session. This should set the session_key to None
(request.session.flush()
), which prevents the session being re-written to db.
However this might also point to another issue. What if a user ends all other sessions, and the above happens? Will there still be a new session object written to db in step 3? If so, that could be quite major issue.
from django-user-sessions.
@Bouke Yeah, it took a while stepping through code. Your change looks like it should fix the issue.
In my testing, there's no conflict between the two middleware modules when deleting other sessions, because the session_security module only updates the last_activity on the current session. So deleting other sessions works as expected.
from django-user-sessions.
I'm thinking along these lines;
- Session A clicks "end all other sessions"
- Session B clicks "heavy page" (a page that requires a while to process)
- Server starts processing both A and B (multi-threaded / -process server)
- Server completes request for A, removing all sessions except A.
- Server completes request B, however the session was modified, so this triggers the middleware to update the session in the database
- Will it realise that there is no session and accept no further requests? Or will it store the session as a new record in the database, effectively by-passing the forced log-out?
Maybe this could be reproduced by artificially introducing a delay in a view (time.sleep(10)
) and would also require a multi-threaded server.
from django-user-sessions.
Yeah, that sounds like a possible race in this scenario. The race exists even deleting a single session, if there's another ongoing request for that session, and session_security middleware is in use.
You'd need to mark each session as "dying" in the DB, so as to fail the save() on request B. Though, in practice this won't occur often, and is detectable by the user refreshing the /account/sessions/ page.
from django-user-sessions.
Hi there, this is an old bug, but I noticed this behaviour today.
When ending all other sessions and then your current session, this error is returned:
TypeError at /account/sessions/svxqrcy1ofr0yiyyoa8hukee6elmu6pt/delete/
argument of type 'NoneType' is not iterable
I also use the combination of session_security and user_sessions.
Somehow the logout is not triggered but the session gets removed.
from django-user-sessions.
Related Issues (20)
- How to import the default Session ? HOT 1
- Bug: Opera browser is recognized as Chrome browser in template.
- Possibility of a new Release HOT 15
- Application does not works with Django 4.0 HOT 1
- django 4.0 support
- fails to build with django 4 HOT 2
- Slow UPDATE queries? HOT 2
- RuntimeError: Model class django.contrib.sessions.models.Session doesn't declare an explicit app_label and isn't in an application in INSTALLED_APPS HOT 5
- update readme links HOT 1
- It's no longer possible to properly detect the platform version, so we shouldn't try to HOT 3
- Not saving user_agent and ip even while using geoip
- Switch to using setuptools_scm HOT 1
- Utilize ruff
- Drop unsupported versions of Django
- Clean up some of the dev dependencies
- Handling session cookie delete on logout
- Session Caching Question
- Don't depend on pkg_resources HOT 1
- Disable saving IP / browser
- Support for Django 5.0
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-user-sessions.