You could also move to use the Argon2 hasher, which does not have any chagnes between versions to log out users: https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#using-argon2-with-django
It's also considered more secure. As the docs say: Argon2 is not the default for Django because it requires a third-party > library. The Password Hashing Competition panel, however, recommends > immediate use of Argon2 rather than the other algorithms supported by > Django. > Requiring a third-party library is less controversial these days compared to when we added the Argon2 hasher. Perhaps we could make it the default for new projects now, rather than changing our frequency of increasing PBKDF2 iterations. On Thu, 3 Sep 2020 at 09:58, אורי <u...@speedy.net> wrote: > Hi, > > To conclude, I think it would be better to change the number of iterations > not every 8 months, but every 2 years (with a new LTS release). > > אורי > u...@speedy.net > > > On Thu, Sep 3, 2020 at 10:29 AM Florian Apolloner <f.apollo...@gmail.com> > wrote: > >> I do not think there is anything to reopen because it works as designed. >> Password changes cause other browser sessions to be terminated because the >> session auth hash no longer matches. You can use a custom user model and >> override `get_session_auth_hash` but the defaults won't change, sorry. >> >> On Thursday, September 3, 2020 at 4:56:13 AM UTC+2 Uri wrote: >> >>> Django developers, >>> >>> I would like to reopen #31970 >>> <https://code.djangoproject.com/ticket/31970>. In short, the problem is >>> - if a user is logged in with more than one browser, and when we upgrade >>> Django to any version which *PBKDF2PasswordHasher.iterations* changes >>> (which is *any* new version), and then the user logs in again - this >>> logs them out from all other browsers. I think this is a bug. >>> >>> I found out that this can be avoided by changing *def must_update*, for >>> example if you change it to something like: >>> >>> def must_update(self, encoded): >>> # Update the stored password only if the iterations diff is at least >>> 250,000. >>> algorithm, iterations, salt, hash = encoded.split('$', 3) >>> iterations_diff = abs(self.iterations - int(iterations)) >>> return ((int(iterations) != self.iterations) and (iterations_diff >= >>> 250000)) >>> >>> Or even simply: >>> >>> def must_update(self, encoded): >>> return False >>> >>> >>> אורי >>> u...@speedy.net >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Django developers (Contributions to Django itself)" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to django-developers+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/django-developers/87b16804-3da2-46b7-8ff5-466cd2f38aa2n%40googlegroups.com >> <https://groups.google.com/d/msgid/django-developers/87b16804-3da2-46b7-8ff5-466cd2f38aa2n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/CABD5YeHppQW8gc5-eg3-wN-7wSVXWumPvYVAZD5OTW9PnGtCTA%40mail.gmail.com > <https://groups.google.com/d/msgid/django-developers/CABD5YeHppQW8gc5-eg3-wN-7wSVXWumPvYVAZD5OTW9PnGtCTA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- Adam -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM25sCEJQ%3D%3DepSywBYBO8ftGTwG84MREpTMtfar_ZMsgxg%40mail.gmail.com.
