Thursday, April 11, 2013

Loading a page (with external authentication) changes the session_key

Hi Django users,

We're trying to migrate a project from Django 1.4 to Django 1.5.1 ...

The web service has to be accessible both as authenticated and anonymous user. And we use external authentication with an Apache module (which sets "REMOTE_USER" env var in accordance with https://docs.djangoproject.com/en/1.5/howto/auth-remote-user/).

The url https://example.com/ has a different content depending if the user is anonymous or authenticated.

The strategy we used with Django 1.4 was that only the urls starting by /auth/ are authenticated by Apache's module. If the user (being on page https://example.com/) chooses to authenticate, he jumps to https://example.com/auth/ . The /auth/ is authenticated by Apache's module, then served by Django application which redirects back to https://example.com/ . Because of the session_key, Django knows that the user is authenticated.

Unfortunately with Django 1.5.1 ... the session_key is changed every time the browser moves from an authenticated url to an non-authenticated one.

In my log, I can see (Django 1.5.1) :

DEBUG 2013-04-09 09:15:20,571 views home None  DEBUG 2013-04-09 09:15:48,886 views auth ow1bzgdajs7i12d9bmfwwm3fpw47elna  DEBUG 2013-04-09 09:15:48,981 views home mehlf1x0iemx9yc3ddf6mhnls1nha1r4
  • First line is when the user access https://example.com/ .
  • Second when he clicks on button "Connexion" .
  • Third is an HttpResponseRedirect to / .
  • The last string is the request.session.session_key .

When I remove the apache authentication on /auth (Django 1.5.1) :

DEBUG 2013-04-09 09:16:45,268 views home None  DEBUG 2013-04-09 09:16:48,258 views auth None  DEBUG 2013-04-09 09:16:48,345 views home None

With Django 1.4, here is what the same log gives (Django 1.4) :

DEBUG 2013-04-09 09:11:21,899 views home None  DEBUG 2013-04-09 09:11:41,261 views auth f16ab3e574b866177803f9011dc33ab8  DEBUG 2013-04-09 09:11:41,375 views home f16ab3e574b866177803f9011dc33ab8

Is this change of behavior expected? (new feature?) How could we fix it?

Thanks!
Samuel

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

posted by twitter @ 1:52 AM   0 Comments

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home


Real Estate