Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Redirect after login to the page of the previous user #9

Open
rtubio opened this issue Dec 8, 2013 · 10 comments
Open

Redirect after login to the page of the previous user #9

rtubio opened this issue Dec 8, 2013 · 10 comments

Comments

@rtubio
Copy link

rtubio commented Dec 8, 2013

After a session is closed due to inactivity for "user-A" and if "user-B" logs in from the same navigator, the middleware redirects the new session for "user-B" to the last page that "user-A" was using. In my opinion, settings.REDIRECT_URL must be used for redirecting in this case.

@jpic
Copy link
Member

jpic commented Dec 8, 2013

Nice report, thanks !

@rtubio
Copy link
Author

rtubio commented Dec 9, 2013

If I have some time along this week, I will try to go deeper in the code and see if I can help. This is an issue that it is happening to me during development, since I am testing my website with two different users (staff and regular user) at a time.

@rtubio
Copy link
Author

rtubio commented Dec 12, 2013

Hi again,

I have taken a look at django-session-security's middleware.py and you are calling "logout" from "django.contrib.auth.init.py" instead of "logout" from "django.contrib.auth.views.py". I noticed that "logout" from "django.contrib.auth.views.py" has additional features which, however, had no effect on solving this issue. I would just like to know if there is any reason for using "logout" from "init.py" rather than from "views.py".

@jpic
Copy link
Member

jpic commented Dec 12, 2013

Actually, the logout view uses the logout function.

We're calling the logout function directly because we're in a middleware.

If we were to redirect to a logout url, then we would redirect to the logout view.

Do you understand ?

@jpic
Copy link
Member

jpic commented Dec 12, 2013

Is this issue critical for you ? If so I will make it a priority, I assumed that it was not critical.

@rtubio
Copy link
Author

rtubio commented Dec 12, 2013

Ok, thanks for the explanation. That was what I had in mind before asking you, I just preferred to ask rather than making a mistake. I was taking a look both at your code and at django.contrib.auth and I think that this issue might be more related with the latter project.

In this project, whenever logout is invoked by security_session, user data is erased from the 'request' object but a reference to the page that the user is currently viewing is kept. When "login" is invoked again, there is no reference with which to compare the new user and the previous one, so that the last page used by the user that was already logged out, is used for redirection with the credentials of the new one.

As you may realize, this problem will only appear when a user leaves his session open in a computer and another one comes, tries to use that session, and logs in again within the same navigator. This might not be something that happens very often, but in my opinion may be somehow important.

@jpic
Copy link
Member

jpic commented Dec 12, 2013

Well, it's doing what it was designed for: when the user logs it bring him back to the place he was before.

What happens exactly is:

  • yourlabs.SessionSecurity from script.js runs SessionSecurity.ping() periodically, it reports how much time has elapsed since it had client-side activity to PingView,
  • in return, PingView returns how much time has elapsed since there has been any activity reported from all clients (all browsers tabs), the lowest is kept of course,
  • the response is processed by yourlabs.SessionSecurity.pong() which updates the last activity of this client, then calls yourlabs.SessionSecurity.apply() which finds out that an amount of inactive time is superior to the expiration setting, so it calls yourlabs.SessionSecurity.expire(),
  • yourlabs.SessionSecurity.expire() just does window.location.reload(),
  • when SessionSecurityMiddleware.process_request() learns that the page should be loaded and that the session should have expired: it calls logout().

This means that:

  • you are on /admin/auth/user/,
  • your session expire, yourlabs.SessionSecurity requests a page reload,
  • you load /admin/auth/user/ again, but the middleware logs you out and you are presented the login form.

At no moment django-session-security does a redirect. That's the problem: the browser sits on the same page no matter what physical person is on the keyboard.

@rtubio
Copy link
Author

rtubio commented Dec 12, 2013

Yes, for sure: you are absolutely right! The redirection is made by the middleware from django.contrib.auth, not by django-session-security; however, that redirection affects to the behavior of the whole application.

@jpic
Copy link
Member

jpic commented Dec 12, 2013

I don't see any redirection at all ;)

  • you are on /admin/auth/user,
  • script.js decides that your session has expired, it reloads /admin/auth/user,
  • on the way, the middleware decides to log you out,
  • /admin/auth/user is rendered, but you have been logged out.

@jpic
Copy link
Member

jpic commented Dec 13, 2013

I wasn't clear on "logout". The middleware calls this logout function from django: https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L96

As you can see, it does not do a redirect. By "logout" I mean that:

 request.user = AnonymousUser()

No redirect. The same page loads, but with request.user = AnonymousUser(), hence the login form on the same url.

Hope this helps

Let me know if you have any question

Sincerly

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants