-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redirect after login to the page of the previous user #9
Comments
Nice report, thanks ! |
If I have some time along this week, I will try to go deeper in the code and see if I can help. This is an issue that it is happening to me during development, since I am testing my website with two different users (staff and regular user) at a time. |
Hi again, I have taken a look at django-session-security's middleware.py and you are calling "logout" from "django.contrib.auth.init.py" instead of "logout" from "django.contrib.auth.views.py". I noticed that "logout" from "django.contrib.auth.views.py" has additional features which, however, had no effect on solving this issue. I would just like to know if there is any reason for using "logout" from "init.py" rather than from "views.py". |
Actually, the logout view uses the logout function. We're calling the logout function directly because we're in a middleware. If we were to redirect to a logout url, then we would redirect to the logout view. Do you understand ? |
Is this issue critical for you ? If so I will make it a priority, I assumed that it was not critical. |
Ok, thanks for the explanation. That was what I had in mind before asking you, I just preferred to ask rather than making a mistake. I was taking a look both at your code and at django.contrib.auth and I think that this issue might be more related with the latter project. In this project, whenever logout is invoked by security_session, user data is erased from the 'request' object but a reference to the page that the user is currently viewing is kept. When "login" is invoked again, there is no reference with which to compare the new user and the previous one, so that the last page used by the user that was already logged out, is used for redirection with the credentials of the new one. As you may realize, this problem will only appear when a user leaves his session open in a computer and another one comes, tries to use that session, and logs in again within the same navigator. This might not be something that happens very often, but in my opinion may be somehow important. |
Well, it's doing what it was designed for: when the user logs it bring him back to the place he was before. What happens exactly is:
This means that:
At no moment django-session-security does a redirect. That's the problem: the browser sits on the same page no matter what physical person is on the keyboard. |
Yes, for sure: you are absolutely right! The redirection is made by the middleware from django.contrib.auth, not by django-session-security; however, that redirection affects to the behavior of the whole application. |
I don't see any redirection at all ;)
|
I wasn't clear on "logout". The middleware calls this logout function from django: https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L96 As you can see, it does not do a redirect. By "logout" I mean that:
No redirect. The same page loads, but with Hope this helps Let me know if you have any question Sincerly |
After a session is closed due to inactivity for "user-A" and if "user-B" logs in from the same navigator, the middleware redirects the new session for "user-B" to the last page that "user-A" was using. In my opinion, settings.REDIRECT_URL must be used for redirecting in this case.
The text was updated successfully, but these errors were encountered: