You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In an APP context, when the client invokes DELETE on SessionView, a new empty and useless session is created in the session store and an associated session token is present in the response. Because this new session is empty, it can't be used to authenticate, so fortunately there isn't any security issue related to this.
The problem is that Django's logout() function flushes the session which sets session.modified = True, but expose_session_token() attempts to create a new session token if session.modified = True. A simple fix would be to also check if the session data is empty.
The text was updated successfully, but these errors were encountered:
In an
APP
context, when the client invokes DELETE onSessionView
, a new empty and useless session is created in the session store and an associated session token is present in the response. Because this new session is empty, it can't be used to authenticate, so fortunately there isn't any security issue related to this.In short, the following test fails:
The problem is that Django's
logout()
function flushes the session which setssession.modified = True
, butexpose_session_token()
attempts to create a new session token ifsession.modified = True
. A simple fix would be to also check if the session data is empty.The text was updated successfully, but these errors were encountered: