-
-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
session_security breaks "End Session" on the current session when using user_sessions #65
Comments
That's quite a debug session in order to find that! I've made a minor change in 317e337 to logout a user when he's trying to delete his current session. This should set the session_key to However this might also point to another issue. What if a user ends all other sessions, and the above happens? Will there still be a new session object written to db in step 3? If so, that could be quite major issue. |
@Bouke Yeah, it took a while stepping through code. Your change looks like it should fix the issue. In my testing, there's no conflict between the two middleware modules when deleting other sessions, because the session_security module only updates the last_activity on the current session. So deleting other sessions works as expected. |
I'm thinking along these lines;
Maybe this could be reproduced by artificially introducing a delay in a view ( |
Yeah, that sounds like a possible race in this scenario. The race exists even deleting a single session, if there's another ongoing request for that session, and session_security middleware is in use. You'd need to mark each session as "dying" in the DB, so as to fail the save() on request B. Though, in practice this won't occur often, and is detectable by the user refreshing the /account/sessions/ page. |
Hi there, this is an old bug, but I noticed this behaviour today.
I also use the combination of session_security and user_sessions. |
The middleware
session_security.middleware.SessionSecurityMiddleware
Provides a session last_activity update on each http request, to decrease chance of session logout.
When using the user_sessions middleware alone, clicking "End Session" will behave the same way as "Logout". Unfortunately, when combined with the session_security middleware, clicking "End Session" on the current session has no effect.
With some pdb tracing, I've figured out the following rough series of events:
The user is redirected to the same Session List page, with their current session still active.
I've opened an issue in session_security and have a proposed fix for that code base, which will add a configuration change that disables the last_activity update on the session_delete view.
yourlabs/django-session-security#89
Tracking here to update user_sessions documentation if/when my proposed fix is accepted.
The text was updated successfully, but these errors were encountered: