root: disable session_save_every_request as it overwrites the session with old data
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #2991
This commit is contained in:
parent
c00f2907ea
commit
34bcc2df1a
|
@ -341,6 +341,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
|
||||||
instance=request._request.session[SESSION_IMPERSONATE_ORIGINAL_USER],
|
instance=request._request.session[SESSION_IMPERSONATE_ORIGINAL_USER],
|
||||||
context=context,
|
context=context,
|
||||||
).data
|
).data
|
||||||
|
self.request.session.save()
|
||||||
return Response(serializer.initial_data)
|
return Response(serializer.initial_data)
|
||||||
|
|
||||||
@permission_required("authentik_core.reset_user_password")
|
@permission_required("authentik_core.reset_user_password")
|
||||||
|
|
|
@ -117,7 +117,7 @@ class FlowPlanner:
|
||||||
self.use_cache = True
|
self.use_cache = True
|
||||||
self.allow_empty_flows = False
|
self.allow_empty_flows = False
|
||||||
self.flow = flow
|
self.flow = flow
|
||||||
self._logger = get_logger().bind(flow=flow)
|
self._logger = get_logger().bind(flow_slug=flow.slug)
|
||||||
|
|
||||||
def plan(
|
def plan(
|
||||||
self, request: HttpRequest, default_context: Optional[dict[str, Any]] = None
|
self, request: HttpRequest, default_context: Optional[dict[str, Any]] = None
|
||||||
|
|
|
@ -32,7 +32,7 @@ LOGGER = get_logger()
|
||||||
|
|
||||||
|
|
||||||
class StageView(View):
|
class StageView(View):
|
||||||
"""Abstract Stage, inherits TemplateView but can be combined with FormView"""
|
"""Abstract Stage"""
|
||||||
|
|
||||||
executor: "FlowExecutorView"
|
executor: "FlowExecutorView"
|
||||||
|
|
||||||
|
|
|
@ -421,6 +421,7 @@ class FlowExecutorView(APIView):
|
||||||
# It's only deleted on a fresh executions
|
# It's only deleted on a fresh executions
|
||||||
# SESSION_KEY_HISTORY,
|
# SESSION_KEY_HISTORY,
|
||||||
]
|
]
|
||||||
|
self._logger.debug("f(exec): cleaning up")
|
||||||
for key in keys_to_delete:
|
for key in keys_to_delete:
|
||||||
if key in self.request.session:
|
if key in self.request.session:
|
||||||
del self.request.session[key]
|
del self.request.session[key]
|
||||||
|
|
|
@ -216,14 +216,13 @@ CACHES = {
|
||||||
DJANGO_REDIS_SCAN_ITERSIZE = 1000
|
DJANGO_REDIS_SCAN_ITERSIZE = 1000
|
||||||
DJANGO_REDIS_IGNORE_EXCEPTIONS = True
|
DJANGO_REDIS_IGNORE_EXCEPTIONS = True
|
||||||
DJANGO_REDIS_LOG_IGNORED_EXCEPTIONS = True
|
DJANGO_REDIS_LOG_IGNORED_EXCEPTIONS = True
|
||||||
SESSION_ENGINE = "django.contrib.sessions.backends.cached_db"
|
SESSION_ENGINE = "django.contrib.sessions.backends.cache"
|
||||||
SESSION_SERIALIZER = "django.contrib.sessions.serializers.PickleSerializer"
|
SESSION_SERIALIZER = "django.contrib.sessions.serializers.PickleSerializer"
|
||||||
SESSION_CACHE_ALIAS = "default"
|
SESSION_CACHE_ALIAS = "default"
|
||||||
# Configured via custom SessionMiddleware
|
# Configured via custom SessionMiddleware
|
||||||
# SESSION_COOKIE_SAMESITE = "None"
|
# SESSION_COOKIE_SAMESITE = "None"
|
||||||
# SESSION_COOKIE_SECURE = True
|
# SESSION_COOKIE_SECURE = True
|
||||||
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
|
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
|
||||||
SESSION_SAVE_EVERY_REQUEST = True
|
|
||||||
|
|
||||||
MESSAGE_STORAGE = "authentik.root.messages.storage.ChannelsStorage"
|
MESSAGE_STORAGE = "authentik.root.messages.storage.ChannelsStorage"
|
||||||
|
|
||||||
|
|
|
@ -119,6 +119,7 @@ class PromptChallengeResponse(ChallengeResponse):
|
||||||
engine = ListPolicyEngine(self.stage.validation_policies.all(), user, self.request)
|
engine = ListPolicyEngine(self.stage.validation_policies.all(), user, self.request)
|
||||||
engine.mode = PolicyEngineMode.MODE_ALL
|
engine.mode = PolicyEngineMode.MODE_ALL
|
||||||
engine.request.context[PLAN_CONTEXT_PROMPT] = attrs
|
engine.request.context[PLAN_CONTEXT_PROMPT] = attrs
|
||||||
|
engine.use_cache = False
|
||||||
engine.build()
|
engine.build()
|
||||||
result = engine.result
|
result = engine.result
|
||||||
if not result.passing:
|
if not result.passing:
|
||||||
|
|
|
@ -15,10 +15,6 @@ slug: "2022.6"
|
||||||
|
|
||||||
Instead of creating a Notification with each transport, there is now a new Transport mode called "Local", which locally creates the Notifications. This also adds the ability to customize the notification using a mapping.
|
Instead of creating a Notification with each transport, there is now a new Transport mode called "Local", which locally creates the Notifications. This also adds the ability to customize the notification using a mapping.
|
||||||
|
|
||||||
- Database-based sessions
|
|
||||||
|
|
||||||
Sessions have been migrated from the database, where as they previously were stored in the cache. This has a slight performance hit, however fixes random issues cause by non-atomic session changes.
|
|
||||||
|
|
||||||
- MFA Validation threshold has been migrated to signed cookies
|
- MFA Validation threshold has been migrated to signed cookies
|
||||||
|
|
||||||
Last MFA validation is now saved in a signed cookie, which changes the behavior so that only the current browser is affected by MFA validation, and an attacker cannot exploit the fact that a user has recently authenticated with MFA.
|
Last MFA validation is now saved in a signed cookie, which changes the behavior so that only the current browser is affected by MFA validation, and an attacker cannot exploit the fact that a user has recently authenticated with MFA.
|
||||||
|
|
Reference in New Issue