root: disable session_save_every_request as it overwrites the session with old data
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #2991
This commit is contained in:
parent
c00f2907ea
commit
34bcc2df1a
|
@ -341,6 +341,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
|
|||
instance=request._request.session[SESSION_IMPERSONATE_ORIGINAL_USER],
|
||||
context=context,
|
||||
).data
|
||||
self.request.session.save()
|
||||
return Response(serializer.initial_data)
|
||||
|
||||
@permission_required("authentik_core.reset_user_password")
|
||||
|
|
|
@ -117,7 +117,7 @@ class FlowPlanner:
|
|||
self.use_cache = True
|
||||
self.allow_empty_flows = False
|
||||
self.flow = flow
|
||||
self._logger = get_logger().bind(flow=flow)
|
||||
self._logger = get_logger().bind(flow_slug=flow.slug)
|
||||
|
||||
def plan(
|
||||
self, request: HttpRequest, default_context: Optional[dict[str, Any]] = None
|
||||
|
|
|
@ -32,7 +32,7 @@ LOGGER = get_logger()
|
|||
|
||||
|
||||
class StageView(View):
|
||||
"""Abstract Stage, inherits TemplateView but can be combined with FormView"""
|
||||
"""Abstract Stage"""
|
||||
|
||||
executor: "FlowExecutorView"
|
||||
|
||||
|
|
|
@ -421,6 +421,7 @@ class FlowExecutorView(APIView):
|
|||
# It's only deleted on a fresh executions
|
||||
# SESSION_KEY_HISTORY,
|
||||
]
|
||||
self._logger.debug("f(exec): cleaning up")
|
||||
for key in keys_to_delete:
|
||||
if key in self.request.session:
|
||||
del self.request.session[key]
|
||||
|
|
|
@ -216,14 +216,13 @@ CACHES = {
|
|||
DJANGO_REDIS_SCAN_ITERSIZE = 1000
|
||||
DJANGO_REDIS_IGNORE_EXCEPTIONS = True
|
||||
DJANGO_REDIS_LOG_IGNORED_EXCEPTIONS = True
|
||||
SESSION_ENGINE = "django.contrib.sessions.backends.cached_db"
|
||||
SESSION_ENGINE = "django.contrib.sessions.backends.cache"
|
||||
SESSION_SERIALIZER = "django.contrib.sessions.serializers.PickleSerializer"
|
||||
SESSION_CACHE_ALIAS = "default"
|
||||
# Configured via custom SessionMiddleware
|
||||
# SESSION_COOKIE_SAMESITE = "None"
|
||||
# SESSION_COOKIE_SECURE = True
|
||||
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
|
||||
SESSION_SAVE_EVERY_REQUEST = True
|
||||
|
||||
MESSAGE_STORAGE = "authentik.root.messages.storage.ChannelsStorage"
|
||||
|
||||
|
|
|
@ -119,6 +119,7 @@ class PromptChallengeResponse(ChallengeResponse):
|
|||
engine = ListPolicyEngine(self.stage.validation_policies.all(), user, self.request)
|
||||
engine.mode = PolicyEngineMode.MODE_ALL
|
||||
engine.request.context[PLAN_CONTEXT_PROMPT] = attrs
|
||||
engine.use_cache = False
|
||||
engine.build()
|
||||
result = engine.result
|
||||
if not result.passing:
|
||||
|
|
|
@ -15,10 +15,6 @@ slug: "2022.6"
|
|||
|
||||
Instead of creating a Notification with each transport, there is now a new Transport mode called "Local", which locally creates the Notifications. This also adds the ability to customize the notification using a mapping.
|
||||
|
||||
- Database-based sessions
|
||||
|
||||
Sessions have been migrated from the database, where as they previously were stored in the cache. This has a slight performance hit, however fixes random issues cause by non-atomic session changes.
|
||||
|
||||
- MFA Validation threshold has been migrated to signed cookies
|
||||
|
||||
Last MFA validation is now saved in a signed cookie, which changes the behavior so that only the current browser is affected by MFA validation, and an attacker cannot exploit the fact that a user has recently authenticated with MFA.
|
||||
|
|
Reference in New Issue