mollyproject-users — Users discussion and help

Re: [molly-users] django.contrib.admin/molly.auth.middleware.securesessionmiddleware issue

[Adam B. <Ada...@ja...>]

I have tracked down the issue, fortunately changing settings.DEBUG_SECURE to False mitigates it; /adm/ works fine when this setting is disabled.  It is caused by the process_request; when the setting is enabled the existing session is over-written.  When it is off, that branch of the code is skipped.

The securesessionmiddleware does present another slightly related issue, in that it forces the admin console to use http; https requests are redirected to a standard http connection.  Sending the administrative passwords in the clear is obviously not ideal.

At the moment, I've just added /adm/ as a special case in the block that does the redirection.  However, it might be best to add a whitelist to settings.py, or some other more permanent solution.

Adam Bishop

JANET(UK)
01235 222245 ext245


From: Adam Bishop [mailto:Ada...@ja...]
Sent: 30 September 2010 15:34
To: mol...@li...
Subject: [molly-users] django.contrib.admin/molly.auth.middleware.securesessionmiddleware issue

I've been looking at molly for possible use here, and have run into a minor issue with the admin console.  I'm part way to tracking it down, but I figure you guys might be able to pin it down faster.

With securesessionmiddleware loaded, I'm unable to access the admin console (/adm/) on the molly_oxford demo; logging in with valid credentials bounces you straight back to the log in form with no error displayed.  Disabling the middleware makes everything work fine.

Specifically, it is the process_request method that is causing the problem, at line 45 (request.user = user) where it overwrites the standard session with a secure one.  Examining user shows that username is set to a hash of some sort, rather than the username used to log in.  It seems that either the login is not being processed properly, or it is not being retrieved correctly.

It's possible this is an environmental problem; a bit of coercion was needed to get molly working wrt the database and dependencies.

If there is any more information you need from me, please let me know.  If I manage to pin this down in the mean time I'll try and put together a patch.

As a side note, the framework seems to work fine being served by mod_passenger rather than mod_python (I did look at this as a cause, but the issue occurs using runserver too).

Adam Bishop

JANET(UK)
01235 222245 ext245

JANET(UK) is a trading name of The JNT Association, a company limited

by guarantee which is registered in England under No. 2881024

and whose Registered Office is at Lumen House, Library Avenue,

Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG


JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG

[molly-users] django.contrib.admin/molly.auth.middleware.securesessionmiddleware issue

[Adam B. <Ada...@ja...>]

I've been looking at molly for possible use here, and have run into a minor issue with the admin console.  I'm part way to tracking it down, but I figure you guys might be able to pin it down faster.

With securesessionmiddleware loaded, I'm unable to access the admin console (/adm/) on the molly_oxford demo; logging in with valid credentials bounces you straight back to the log in form with no error displayed.  Disabling the middleware makes everything work fine.

Specifically, it is the process_request method that is causing the problem, at line 45 (request.user = user) where it overwrites the standard session with a secure one.  Examining user shows that username is set to a hash of some sort, rather than the username used to log in.  It seems that either the login is not being processed properly, or it is not being retrieved correctly.

It's possible this is an environmental problem; a bit of coercion was needed to get molly working wrt the database and dependencies.

If there is any more information you need from me, please let me know.  If I manage to pin this down in the mean time I'll try and put together a patch.

As a side note, the framework seems to work fine being served by mod_passenger rather than mod_python (I did look at this as a cause, but the issue occurs using runserver too).

Adam Bishop

JANET(UK)
01235 222245 ext245

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG