sessions: force new session id on login (#15698)
This commit is contained in:
parent
abd2ed2bf2
commit
8027cb034c
|
@ -143,3 +143,16 @@ def test_sessions_visiting_objects(pub, http_request):
|
|||
# check visitors
|
||||
assert set([x[0] for x in pub.get_object_visitors('formdata-foobar-2')]) == set(['FOO', 'BAR'])
|
||||
assert set([x[0] for x in pub.get_object_visitors('formdata-foobar-1')]) == set([])
|
||||
|
||||
def test_session_do_not_reuse_id(pub, user, app):
|
||||
pub.session_manager.session_class.wipe()
|
||||
login(app, username='foo', password='foo')
|
||||
assert pub.session_manager.session_class.count() == 1
|
||||
resp = app.get('/')
|
||||
login_page = app.get('/login/')
|
||||
login_form = login_page.forms['login-form']
|
||||
login_form['username'] = 'foo'
|
||||
login_form['password'] = 'foo'
|
||||
resp = login_form.submit()
|
||||
assert resp.status_int == 302
|
||||
assert pub.session_manager.session_class.count() == 2
|
||||
|
|
|
@ -149,6 +149,7 @@ class Session(QommonSession, CaptchaSession, StorableObject):
|
|||
return None
|
||||
|
||||
def set_user(self, user_id):
|
||||
self.id = None # force a new session id to be assigned
|
||||
QuixoteSession.set_user(self, user_id)
|
||||
if str(user_id).startswith('anonymous-'):
|
||||
# do not store connection time for anonymous users
|
||||
|
|
Loading…
Reference in New Issue