mirror of
https://github.com/django/django.git
synced 2024-11-29 14:46:18 +01:00
Fixed #26614 -- Used constant_time_compare() in checking session auth hash in login().
This commit is contained in:
parent
104727030c
commit
094ea69e07
@ -100,7 +100,7 @@ def login(request, user, backend=None):
|
||||
if SESSION_KEY in request.session:
|
||||
if _get_user_session_key(request) != user.pk or (
|
||||
session_auth_hash and
|
||||
request.session.get(HASH_SESSION_KEY) != session_auth_hash):
|
||||
not constant_time_compare(request.session.get(HASH_SESSION_KEY, ''), session_auth_hash)):
|
||||
# To avoid reusing another user's session, create a new, empty
|
||||
# session if the existing session corresponds to a different
|
||||
# authenticated user.
|
||||
|
Loading…
Reference in New Issue
Block a user