Re: [Django] #21608: Logged out sessions are resurrected by concurrent requests

Fri, 11 Dec 2015 06:34:55 -0800 

#21608: Logged out sessions are resurrected by concurrent requests
----------------------------------+-------------------------------------
     Reporter:  jonasborgstrom    |                    Owner:  anonymous
         Type:  Bug               |                   Status:  assigned
    Component:  contrib.sessions  |                  Version:  1.4
     Severity:  Normal            |               Resolution:
     Keywords:                    |             Triage Stage:  Accepted
    Has patch:  1                 |      Needs documentation:  0
  Needs tests:  0                 |  Patch needs improvement:  1
Easy pickings:  0                 |                    UI/UX:  0
----------------------------------+-------------------------------------

Comment (by tltx):

 I have reproduced this bug with the test site
 (https://github.com/jborg/django-21608) on both Django 1.8.7 and 1.9
 (using SQLite).

 These were the steps I used:
 * Open the admin page in a tab and log in. http://localhost:8000/admin/
 * Switch to a new tab and open the slow page. http://localhost:8000/slow/
 Act fast after this step to complete the next three steps before the slow
 page has finished loaded, <10 sec
 * Switch back to tab with the admin page.
 * Click the "Logout" link on the top right corner of the page. -> Now you
 are on the logout page
 * Reload page -> Now you are on the login page.
 * Wait for slow page to finish loading.
 * Reload the tab with the login page.
 * Logged in again without entering credentials!

 This is a security issue, not critical though, as someone might think that
 they have logged out but is actually still logged in.
 If you logout and leave a public computer while a page is still loading in
 another tab there is a risk that the next person using that computer can
 get access to your account.
 It would be nice to have this fixed 1.8 and up.

--
Ticket URL: <https://code.djangoproject.com/ticket/21608#comment:13>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/072.d9305c80b5b142725db9204112983be9%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to