root: disable session_save_every_request as it overwrites the session with old data

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#2991
This commit is contained in:
Jens Langhammer 2022-05-31 20:46:27 +02:00
parent c00f2907ea
commit 34bcc2df1a
7 changed files with 6 additions and 8 deletions

View File

@ -341,6 +341,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
instance=request._request.session[SESSION_IMPERSONATE_ORIGINAL_USER],
context=context,
).data
self.request.session.save()
return Response(serializer.initial_data)
@permission_required("authentik_core.reset_user_password")

View File

@ -117,7 +117,7 @@ class FlowPlanner:
self.use_cache = True
self.allow_empty_flows = False
self.flow = flow
self._logger = get_logger().bind(flow=flow)
self._logger = get_logger().bind(flow_slug=flow.slug)
def plan(
self, request: HttpRequest, default_context: Optional[dict[str, Any]] = None

View File

@ -32,7 +32,7 @@ LOGGER = get_logger()
class StageView(View):
"""Abstract Stage, inherits TemplateView but can be combined with FormView"""
"""Abstract Stage"""
executor: "FlowExecutorView"

View File

@ -421,6 +421,7 @@ class FlowExecutorView(APIView):
# It's only deleted on a fresh executions
# SESSION_KEY_HISTORY,
]
self._logger.debug("f(exec): cleaning up")
for key in keys_to_delete:
if key in self.request.session:
del self.request.session[key]

View File

@ -216,14 +216,13 @@ CACHES = {
DJANGO_REDIS_SCAN_ITERSIZE = 1000
DJANGO_REDIS_IGNORE_EXCEPTIONS = True
DJANGO_REDIS_LOG_IGNORED_EXCEPTIONS = True
SESSION_ENGINE = "django.contrib.sessions.backends.cached_db"
SESSION_ENGINE = "django.contrib.sessions.backends.cache"
SESSION_SERIALIZER = "django.contrib.sessions.serializers.PickleSerializer"
SESSION_CACHE_ALIAS = "default"
# Configured via custom SessionMiddleware
# SESSION_COOKIE_SAMESITE = "None"
# SESSION_COOKIE_SECURE = True
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
SESSION_SAVE_EVERY_REQUEST = True
MESSAGE_STORAGE = "authentik.root.messages.storage.ChannelsStorage"

View File

@ -119,6 +119,7 @@ class PromptChallengeResponse(ChallengeResponse):
engine = ListPolicyEngine(self.stage.validation_policies.all(), user, self.request)
engine.mode = PolicyEngineMode.MODE_ALL
engine.request.context[PLAN_CONTEXT_PROMPT] = attrs
engine.use_cache = False
engine.build()
result = engine.result
if not result.passing:

View File

@ -15,10 +15,6 @@ slug: "2022.6"
Instead of creating a Notification with each transport, there is now a new Transport mode called "Local", which locally creates the Notifications. This also adds the ability to customize the notification using a mapping.
- Database-based sessions
Sessions have been migrated from the database, where as they previously were stored in the cache. This has a slight performance hit, however fixes random issues cause by non-atomic session changes.
- MFA Validation threshold has been migrated to signed cookies
Last MFA validation is now saved in a signed cookie, which changes the behavior so that only the current browser is affected by MFA validation, and an attacker cannot exploit the fact that a user has recently authenticated with MFA.