Channels - logout not resetting message.user value on new WebSocket connections

[Sergio Diaz]

Hello,

I'm trying out Channels in Django 1.11 and set up a few consumers, looking like this:

@channel_session_user_from_http
def ws_connect(message, slug):
    if message.user.is_authenticated():
         message.reply_channel.send({"accept": True})
    else:
         message.reply_channel.send({"accept": False})

And it works before logging in; the connection is closed and dropped when the user is logged out. Once logged in, it begins accepting socket connections.

Then, I hit `accounts/logout` (the default login view), and everything logs out. I can't view protected (login_required) views anymore, and it seems like everything was unset properly.

However, when I open up the console and fire another websocket request, the request passes the is_authenticated check and enters with the old logged out user, as if it was not cleared. This only happens within channels, every other part of the site is logged out, but this seems to retain the session and not clear it.

Is there any solution to this, am I approaching this wrong, or is this a known issue?

Thanks in advance.

[Andrew Godwin]

This isn't a known issue, but I'll need more debugging info to know if it's Channels or not. Couple of checks:

 - The way to reject a socket connection is "close": True, not "accept": False; try changing to that

 - What is the value of message.user and message.reply_channel on each of a a) correctly denied logged out request, b) correctly accepted logged in request, c) incorrectly accepted logged out request after having just logged out?

Andrew

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/ad49c85d-78f0-4420-acdf-c84ff02524b7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Melvyn Sopacua]

On Sunday 26 March 2017 15:40:28 Andrew Godwin wrote:

 

> - The way to reject a socket connection is "close": True, not

> "accept": False; try changing to that

 

If there is no use case for 'accept': False, then it makes more sense to change the API to reply_channel.accept() and reply_channel.reject().

 

> > def ws_connect(message, slug):

> > if message.user.is_authenticated():

> > message.reply_channel.send({"accept": True})

> >

> > else:

> > message.reply_channel.send({"accept": False})

 

My 2c.

--

Melvyn Sopacua

[Andrew Godwin]

Or make "accept": False do the same as "close": True. The reason that close is a separate argument is that you can pass a WebSocket close code, optionally (we have a default if you don't, but that's probably enough for most people)

Andrew

--

You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/1606140.jmrvaBkSz8%40devstation.

[Andrew Godwin]

To follow up on this - I have updated the spec (http://channels.readthedocs.io/en/latest/asgi/www.html) to clarify exactly how accept works, added accept: False as an allowed value, and patched Daphne to work with that as of next release.

Andrew