root: disable session_save_every_request as it overwrites the session with old data

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #2991
2022-05-31 20:46:27 +02:00 · 2022-05-31 20:46:27 +02:00 · 34bcc2df1a
parent c00f2907ea
commit 34bcc2df1a
7 changed files with 6 additions and 8 deletions
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -341,6 +341,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
                instance=request._request.session[SESSION_IMPERSONATE_ORIGINAL_USER],
                context=context,
            ).data
+        self.request.session.save()
        return Response(serializer.initial_data)

    @permission_required("authentik_core.reset_user_password")
--- a/authentik/flows/planner.py
+++ b/authentik/flows/planner.py
@ -117,7 +117,7 @@ class FlowPlanner:
        self.use_cache = True
        self.allow_empty_flows = False
        self.flow = flow
-        self._logger = get_logger().bind(flow=flow)
+        self._logger = get_logger().bind(flow_slug=flow.slug)

    def plan(
        self, request: HttpRequest, default_context: Optional[dict[str, Any]] = None
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@ -32,7 +32,7 @@ LOGGER = get_logger()


 class StageView(View):
-    """Abstract Stage, inherits TemplateView but can be combined with FormView"""
+    """Abstract Stage"""

    executor: "FlowExecutorView"

--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@ -421,6 +421,7 @@ class FlowExecutorView(APIView):
            # It's only deleted on a fresh executions
            # SESSION_KEY_HISTORY,
        ]
+        self._logger.debug("f(exec): cleaning up")
        for key in keys_to_delete:
            if key in self.request.session:
                del self.request.session[key]
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -216,14 +216,13 @@ CACHES = {
 DJANGO_REDIS_SCAN_ITERSIZE = 1000
 DJANGO_REDIS_IGNORE_EXCEPTIONS = True
 DJANGO_REDIS_LOG_IGNORED_EXCEPTIONS = True
-SESSION_ENGINE = "django.contrib.sessions.backends.cached_db"
+SESSION_ENGINE = "django.contrib.sessions.backends.cache"
 SESSION_SERIALIZER = "django.contrib.sessions.serializers.PickleSerializer"
 SESSION_CACHE_ALIAS = "default"
 # Configured via custom SessionMiddleware
 # SESSION_COOKIE_SAMESITE = "None"
 # SESSION_COOKIE_SECURE = True
 SESSION_EXPIRE_AT_BROWSER_CLOSE = True
-SESSION_SAVE_EVERY_REQUEST = True

 MESSAGE_STORAGE = "authentik.root.messages.storage.ChannelsStorage"

--- a/authentik/stages/prompt/stage.py
+++ b/authentik/stages/prompt/stage.py
@ -119,6 +119,7 @@ class PromptChallengeResponse(ChallengeResponse):
        engine = ListPolicyEngine(self.stage.validation_policies.all(), user, self.request)
        engine.mode = PolicyEngineMode.MODE_ALL
        engine.request.context[PLAN_CONTEXT_PROMPT] = attrs
+        engine.use_cache = False
        engine.build()
        result = engine.result
        if not result.passing:
--- a/website/docs/releases/v2022.6.md
+++ b/website/docs/releases/v2022.6.md
@ -15,10 +15,6 @@ slug: "2022.6"

    Instead of creating a Notification with each transport, there is now a new Transport mode called "Local", which locally creates the Notifications. This also adds the ability to customize the notification using a mapping.

-   Database-based sessions
-
-    Sessions have been migrated from the database, where as they previously were stored in the cache. This has a slight performance hit, however fixes random issues cause by non-atomic session changes.
-
 -   MFA Validation threshold has been migrated to signed cookies

    Last MFA validation is now saved in a signed cookie, which changes the behavior so that only the current browser is affected by MFA validation, and an attacker cannot exploit the fact that a user has recently authenticated with MFA.