Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add session hash to access log #1198

Merged
merged 1 commit into from
Jun 11, 2024
Merged

Add session hash to access log #1198

merged 1 commit into from
Jun 11, 2024

Conversation

sevdog
Copy link
Contributor

@sevdog sevdog commented Apr 30, 2024

What does this PR do?

This PR adds a new field on AccessLog to better track sessions.

There is still an issue for sessions in which a user changes its password: because django.contrib.auth creates a new session upon password change and no logout/login signal is fired since this is neither a login nor a logout. I suppose it would be fine to keep this case "untracked" since it is not possible to hook into that method and usually changing password is not a frequent task.

When no session engine is configured it falls back to current behaviour: a logout will set the logout_time to every AccessLog without it. However this could be tolerated since there is no standard way to track such case and usually when there is no session there is not the concept of login/logout.

Fixes #1190

Before submitting

  • This PR fixes a typo or improves the docs (you can dismiss the other checks if that's the case).
  • Did you make sure to update the documentation with your changes?
  • Did you write any new necessary tests?

@sevdog
Copy link
Contributor Author

sevdog commented Apr 30, 2024

To better handle "password change" events it could be nice to insert an AccessLog with a null attempt_time which could mean "this is a logout log for this user, we were unable to associate the right login".

aleksihakli
aleksihakli approved these changes Jun 11, 2024
View reviewed changes
axes/helpers.py
session = request.session
except AttributeError:
# when no session is available just return an empty string
return ""
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pondering on if this should be None or "" but both should work.

axes/migrations/0009_add_session_hash.py
field=models.CharField(
blank=True,
default="",
max_length=64,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SHA256 should be exactly 64 characters so it might be sensible to force this to either None or 64 characters with e.g. MinLengthValidator

@aleksihakli aleksihakli merged commit 8724405 into jazzband:master Jun 11, 2024
19 checks passed
@aleksihakli
Copy link
Member

Released as version 6.5.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aleksihakli aleksihakli aleksihakli approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

BUG: Concurrent session logout are miss-tracked
2 participants
@sevdog @aleksihakli