From c5f70d02214040c845c949a21b38edf89b1301f9 Mon Sep 17 00:00:00 2001
From: Ben Adida <ben@adida.net>
Date: Mon, 27 Sep 2010 21:08:34 -0700
Subject: [PATCH] some extra caution for session management

---
 auth/auth_systems/password.py |  4 ++--
 auth/views.py                 | 11 +++++++++--
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/auth/auth_systems/password.py b/auth/auth_systems/password.py
index e9b6e0f..f57dfb7 100644
--- a/auth/auth_systems/password.py
+++ b/auth/auth_systems/password.py
@@ -57,7 +57,7 @@ def password_login_view(request):
           if request.POST.has_key('return_url'):
             request.session['auth_return_url'] = request.POST.get('return_url')
 
-          request.session['user'] = user
+          request.session['password_user'] = user
           return HttpResponseRedirect(reverse(after))
       except User.DoesNotExist:
         pass
@@ -101,7 +101,7 @@ def get_auth_url(request, redirect_url = None):
   return reverse(password_login_view)
     
 def get_user_info_after_auth(request):
-  user = request.session['user']
+  user = request.session['password_user']
   user_info = user.info
   
   return {'type': 'password', 'user_id' : user.user_id, 'name': user.name, 'info': user.info, 'token': None}
diff --git a/auth/views.py b/auth/views.py
index 7aef37c..605fe17 100644
--- a/auth/views.py
+++ b/auth/views.py
@@ -81,6 +81,12 @@ def do_local_logout(request):
   # but we definitely kill the session and renew
   # the cookie
   field_names_to_save = request.session.get(FIELDS_TO_SAVE, [])
+
+  # let's clean up the self-referential issue:
+  field_names_to_save = set(field_names_to_save)
+  field_names_to_save.remove(FIELDS_TO_SAVE)
+  field_names_to_save = list(field_names_to_save)
+
   fields_to_save = dict([(name, request.session.get(name, None)) for name in field_names_to_save])
 
   # let's not forget to save the list of fields to save
@@ -126,8 +132,9 @@ def logout(request):
 def start(request, system_name):
   if not (system_name in auth.ENABLED_AUTH_SYSTEMS):
     return HttpResponseRedirect(reverse(index))
-    
-  request.session.save()
+  
+  # why is this here? Let's try without it
+  # request.session.save()
   
   # store in the session the name of the system used for auth
   request.session['auth_system_name'] = system_name
-- 
GitLab