9f9e0acc55
A new feature toggle, default off, causes the session to be deleted when the user identity on the response does not match the session or request. There are a small number of requests that cause the user present on the session at the time of the request to be a different user by the time of the response. As far as I can tell, these are all cases where a user's browser somehow ends up with a mix of cookies from multiple legitimate login sessions on different accounts on the same device. Because there no longer seems to be any case where this mismatch occurs and where the response should be allowed through, this commit introduces a feature toggle `ENFORCE_SAFE_SESSIONS` which will destroy the active session and overwrite the response. The plan is to make this behavior available in the next named release and permanent in the one after. Also: - Use less fragile method of checking mocked set_attribute calls in tests
Open edX -------- This is the root package for Open edX. The intent is that all importable code from Open edX will eventually live here, including the code in the lms, cms, and common directories. If you're adding a new Django app, place it in core/djangoapps. If you're adding utilities that require Django, place them in core/djangolib. If you're adding code that defines no Django models or views of its own but is widely useful, put it in core/lib. Note: All new code should be created in this package, and the legacy code will be moved here gradually. For now the code is not structured like this, and hence legacy code will continue to live in a number of different packages.