Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG: Concurrent session logout are miss-tracked #1190

Open
sevdog opened this issue Apr 15, 2024 · 2 comments · May be fixed by #1198
Open

BUG: Concurrent session logout are miss-tracked #1190

sevdog opened this issue Apr 15, 2024 · 2 comments · May be fixed by #1198
Labels
bug

Comments

@sevdog
Copy link
Contributor

sevdog commented Apr 15, 2024

Describe the bug
When there are concurrent sessions held by the same user on differente devices the first which logs-out also marks the time on the latter.

To Reproduce
Steps to reproduce the behavior:

  1. Configure AXES using AxesDatabaseHandler (the default one)
  2. Create a user
  3. Log in with that user using a browser
  4. Log in with that user using a different browser (or incognito mode)
  5. <repeat step 3 with other browser/client if needed>
  6. Log out from one of the active browsers

Now every AccessLog for that user has the same logout_time, even those for which there is still an active session. It is not possible to update access-logs for those records.

django-axes/axes/handlers/database.py

Lines 319 to 321 in fd9d185

AccessLog.objects.filter(
username=username, logout_time__isnull=True
).update(logout_time=request.axes_attempt_time)

Expected behavior
Every session for a single user should be related to a single AccessLog, to enable a correct tracking of the user.

Your environment
python version: 3.10
django version: 4.2
django-axes version:
Operating system: Linux

Possible implementation
It would be advisable to have an other optional field on AccessLog which can be a digest of the current session-id.
This could also be used as a method do detect whenever an access "expires" without log-off.
The reason for not using a FK to session is:

  • it is not secure since the PK of session usually is the session-id which must be kept secret and hard to find (if possible)
  • already username is not a real FK to user but just simple column
@sevdog sevdog added the bug label Apr 15, 2024
@aleksihakli
Copy link
Member

Thanks for reporting 👍

One option would be to make a mapping from access log objects to sessions so that the correct sessions can be revoked, as you said.

Sessions can also be stored in other session backends so the implementation should be compatible with those.

Would you have the opportunity for making a PR for fixing this bug @sevdog?

@sevdog
Copy link
Contributor Author

sevdog commented Apr 19, 2024

Sure, as soon as I can find enough time to work on it.

@sevdog sevdog linked a pull request Apr 30, 2024 that will close this issue
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add session hash to access log sevdog/django-axes
2 participants
@aleksihakli @sevdog