entrouvert/wcs
entrouvert
/
wcs
14
1
Fork 0
Code Issues Pull Requests 33 Releases Activity

sessions: force new session id on login (#15698)

This commit is contained in:
Frédéric Péters 2017-03-30 14:08:06 +02:00
parent abd2ed2bf2
commit 8027cb034c
2 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
tests/test_sessions.py
View File

@ -143,3 +143,16 @@ def test_sessions_visiting_objects(pub, http_request):
# check visitors
assert set([x[0] for x in pub.get_object_visitors('formdata-foobar-2')]) == set(['FOO', 'BAR'])
assert set([x[0] for x in pub.get_object_visitors('formdata-foobar-1')]) == set([])
def test_session_do_not_reuse_id(pub, user, app):
pub.session_manager.session_class.wipe()
login(app, username='foo', password='foo')
assert pub.session_manager.session_class.count() == 1
resp = app.get('/')
login_page = app.get('/login/')
login_form = login_page.forms['login-form']
login_form['username'] = 'foo'
login_form['password'] = 'foo'
resp = login_form.submit()
assert resp.status_int == 302
assert pub.session_manager.session_class.count() == 2

1
wcs/qommon/sessions.py
View File

@ -149,6 +149,7 @@ class Session(QommonSession, CaptchaSession, StorableObject):
return None
def set_user(self, user_id):
self.id = None # force a new session id to be assigned
QuixoteSession.set_user(self, user_id)
if str(user_id).startswith('anonymous-'):
# do not store connection time for anonymous users