Commits

mtre...@bcc190cf-cafb-0310-a4f2-bffc1f526a37  committed 4536ccc

Implemented a flush() method on sessions that cleans out the session and
regenerates the key. Used to ensure the caller gets a fresh session at logout,
for example.

Based on a patch from mrts. Refs #7515.

  • Participants
  • Parent commits 5dbe07d

Comments (0)

Files changed (6)

File django/contrib/sessions/backends/base.py

             return settings.SESSION_EXPIRE_AT_BROWSER_CLOSE
         return self.get('_session_expiry') == 0
 
+    def flush(self):
+        """
+        Removes the current session data from the database and regenerates the
+        key.
+        """
+        self.clear()
+        self.delete()
+        self.create()
+
     # Methods that child classes must implement.
 
     def exists(self, session_key):
         """
         raise NotImplementedError
 
-    def delete(self, session_key):
+    def delete(self, session_key=None):
         """
-        Clears out the session data under this key.
+        Deletes the session data under this key. If the key is None, the
+        current session key value is used.
         """
         raise NotImplementedError
 

File django/contrib/sessions/backends/cache.py

             return True
         return False
 
-    def delete(self, session_key):
+    def delete(self, session_key=None):
+        if session_key is None:
+            session_key = self._session_key
         self._cache.delete(session_key)
 

File django/contrib/sessions/backends/db.py

                 raise CreateError
             raise
 
-    def delete(self, session_key):
+    def delete(self, session_key=None):
+        if session_key is None:
+            session_key = self._session_key
         try:
             Session.objects.get(session_key=session_key).delete()
         except Session.DoesNotExist:

File django/contrib/sessions/backends/file.py

             return True
         return False
 
-    def delete(self, session_key):
+    def delete(self, session_key=None):
+        if session_key is None:
+            session_key = self._session_key
         try:
             os.unlink(self._key_to_file(session_key))
         except OSError:

File django/contrib/sessions/tests.py

 >>> db_session.exists(db_session.session_key)
 False
 
+>>> db_session['foo'] = 'bar'
+>>> db_session.save()
+>>> db_session.exists(db_session.session_key)
+True
+>>> prev_key = db_session.session_key
+>>> db_session.flush()
+>>> db_session.exists(prev_key)
+False
+>>> db_session.session_key == prev_key
+False
+>>> db_session.modified, db_session.accessed
+(True, True)
+
 >>> file_session = FileSession()
 >>> file_session.modified
 False
 >>> file_session.exists(file_session.session_key)
 False
 
+>>> file_session['foo'] = 'bar'
+>>> file_session.save()
+>>> file_session.exists(file_session.session_key)
+True
+>>> prev_key = file_session.session_key
+>>> file_session.flush()
+>>> file_session.exists(prev_key)
+False
+>>> file_session.session_key == prev_key
+False
+>>> file_session.modified, file_session.accessed
+(True, True)
+
 # Make sure the file backend checks for a good storage dir
 >>> settings.SESSION_FILE_PATH = "/if/this/directory/exists/you/have/a/weird/computer"
 >>> FileSession()
 >>> cache_session.delete(cache_session.session_key)
 >>> cache_session.exists(cache_session.session_key)
 False
+>>> cache_session['foo'] = 'bar'
+>>> cache_session.save()
+>>> cache_session.exists(cache_session.session_key)
+True
+>>> prev_key = cache_session.session_key
+>>> cache_session.flush()
+>>> cache_session.exists(prev_key)
+False
+>>> cache_session.session_key == prev_key
+False
+>>> cache_session.modified, cache_session.accessed
+(True, True)
 
 >>> s = SessionBase()
 >>> s._session['some key'] = 'exists' # Pre-populate the session with some data

File docs/sessions.txt

 
 It also has these methods:
 
+    * ``flush()``
+
+      **New in Django development version**
+
+      Delete the current session data from the database and regenerate the
+      session key value that is sent back to the user in the cookie. This is
+      used if you want to ensure that the previous session data can't be
+      accessed again from the user's browser (for example, the standard
+      ``logout()`` method calls it).
+
     * ``set_test_cookie()``
 
       Sets a test cookie to determine whether the user's browser supports