#23066: Already logged-in user remains logged in when RemoteUser authentication
of
new user fails
-------------------------+-------------------------------------------------
Reporter: | Owner: nobody
david.greisen@… | Status: new
Type: Bug | Version: master
Component: | Keywords: remoteUserBackend
contrib.auth | RemoteUserMiddleware
Severity: Normal | Has patch: 0
Triage Stage: | UI/UX: 0
Unreviewed |
Easy pickings: 1 |
-------------------------+-------------------------------------------------
Currently, when remoteUserBackend fails to authenticate the
username passed in the header, and create_unknown_user==False,
RemoteUserMiddleware does nothing. Thus, if a different user
was logged in, that user will remain logged in despite the failed
attempt to log in a new user.
This is a security issue.
https://github.com/django/django/pull/2936 fixes this problem
by logging out the request if the user returned
by the middleware is None (a failed login attempt).
--
Ticket URL: <https://code.djangoproject.com/ticket/23066>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/065.d0fb90094277fee2d0bfbd2cf9da7d1b%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
