Re: Suggestion for starting contribution to Django

[Shekhar Gyanwali]

Hi Faraz,

Django Chat podcast episode *Contributing to Django
* helped me a lot, where Carlton
and Will talked about how the journey could be like for the beginners.

Hope that helps.

Cheers
Shekhar


On Fri, Sep 4, 2020 at 4:58 AM Faraz Khan  wrote:

> Thank you ! I'll look into this.
>
> On Thu, Sep 3, 2020 at 10:59 PM Carlton Gibson 
> wrote:
>
>> > Here’s a link to the issue tracker, showing the open tickets for
>> contrib.staticfiles.
>>
>> Of course I then fail to paste the link. 
>>
>> Here’s the link:
>>
>> https://code.djangoproject.com/query?status=assigned=new=contrib.staticfiles=id=summary=status=component=owner=type=version=1=id
>>
>> C.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django developers (Contributions to Django itself)" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to django-developers+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-developers/43a844c0-eb95-4e80-b0bc-da90deb67372n%40googlegroups.com
>> 
>> .
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/CAF6gKqdXVpT7xTmUZrymS2YF8yBTLubug_F1dBjrHZmVK2dwCw%40mail.gmail.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAHAmSnq15W7AyChCcUzfA409nM%3DdhJJMqrQFukk8FfZ6sZeVGg%40mail.gmail.com.

Re: Suggestion for starting contribution to Django

[Faraz Khan]

Thank you ! I'll look into this.

On Thu, Sep 3, 2020 at 10:59 PM Carlton Gibson 
wrote:

> > Here’s a link to the issue tracker, showing the open tickets for
> contrib.staticfiles.
>
> Of course I then fail to paste the link. 
>
> Here’s the link:
>
> https://code.djangoproject.com/query?status=assigned=new=contrib.staticfiles=id=summary=status=component=owner=type=version=1=id
>
> C.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/43a844c0-eb95-4e80-b0bc-da90deb67372n%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAF6gKqdXVpT7xTmUZrymS2YF8yBTLubug_F1dBjrHZmVK2dwCw%40mail.gmail.com.

Re: Suggestion for starting contribution to Django

[Carlton Gibson]

> Here’s a link to the issue tracker, showing the open tickets for 
contrib.staticfiles. 

Of course I then fail to paste the link. 

Here’s the link: 
https://code.djangoproject.com/query?status=assigned=new=contrib.staticfiles=id=summary=status=component=owner=type=version=1=id

C.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/43a844c0-eb95-4e80-b0bc-da90deb67372n%40googlegroups.com.

Re: Suggestion for starting contribution to Django

[Carlton Gibson]

Hi Hasan. 

Welcome. Let’s see if we can get you started. 

Begin with the Contributing Guide: 
https://docs.djangoproject.com/en/3.1/internals/contributing/
You don’t have to read it all to start. 

Checkout the Advice for New Contributors, and then see if you can get 
set-up with the Unit Tests. 
https://docs.djangoproject.com/en/3.1/internals/contributing/new-contributors/
https://docs.djangoproject.com/en/3.1/internals/contributing/writing-code/unit-tests/
Both of those link to a tutorial on writing patches, that’s worth stepping 
through.

More or  less, if you can get the test env setup and run the tests then you 
should be good to go. 

Then there’s finding a ticket. 
Here’s a link to the issue tracker, showing the open tickets for 
contrib.staticfiles. 
You can adjust the “Component” drop down and hit “Update” to see other 
area, and add/remove other filters at will.
We have ≈1100 open accepted tickets, so you should be able to find 
something. 

If you get stuck, or have questions, or anything else, do post back here, 
or on the Forum, where there’s a “Mentoring” channel.
https://forum.djangoproject.com/

Hopefully that should get you going. 

Kind regards, Carlton 

On Thursday, 3 September 2020 at 17:16:49 UTC+2 farazk...@gmail.com wrote:

> Hello Mentors and contributors, I am an undergrad CS student. And I was 
> actually looking for some suggestions from your side. I am planning to 
> apply for GSoC next year. I was planning to start making contributions in 
> Django. I am already familiar with Django and packaging, but I have never 
> contributed to Django before. I looked at some issues on GitHub and they 
> look very different from what I was learning all this time. Can you please 
> tell me what do I have to know before I can actually start making 
> contributions? That'll be very helpful. Thank you. 
> Best Regards,
> Hasan Faraz Khan.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/82680966-bf56-418c-aeb6-5b30930e7bb5n%40googlegroups.com.

Suggestion for starting contribution to Django

[Faraz Khan]

Hello Mentors and contributors, I am an undergrad CS student. And I was 
actually looking for some suggestions from your side. I am planning to 
apply for GSoC next year. I was planning to start making contributions in 
Django. I am already familiar with Django and packaging, but I have never 
contributed to Django before. I looked at some issues on GitHub and they 
look very different from what I was learning all this time. Can you please 
tell me what do I have to know before I can actually start making 
contributions? That'll be very helpful. Thank you. 
Best Regards,
Hasan Faraz Khan.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/8d347649-bc98-4382-9b04-a9e995000850n%40googlegroups.com.

Re: Logging in from one browser logs me out from other browsers (after any change in PBKDF2PasswordHasher.iterations)

[Florian Apolloner]

On Thursday, September 3, 2020 at 11:10:39 AM UTC+2 Adam Johnson wrote:

> You could also move to use the Argon2 hasher, which does not have any 
> chagnes between versions to log out users: 
> https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#using-argon2-with-django
>

Or a custom subclass of a PBKDF2 which sets the wanted iteration count… I 
think the defaults in Django are fine :) 

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/525158b1-19fb-4a20-9b2a-67fd7507e809n%40googlegroups.com.

Re: Logging in from one browser logs me out from other browsers (after any change in PBKDF2PasswordHasher.iterations)

[Adam Johnson]

You could also move to use the Argon2 hasher, which does not have any
chagnes between versions to log out users:
https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#using-argon2-with-django

It's also considered more secure. As the docs say:

Argon2 is not the default for Django because it requires a third-party
> library. The Password Hashing Competition panel, however, recommends
> immediate use of Argon2 rather than the other algorithms supported by
> Django.
>

Requiring a third-party library is less controversial these days compared
to when we added the Argon2 hasher. Perhaps we could make it the default
for new projects now, rather than changing our frequency of increasing
PBKDF2 iterations.

‪On Thu, 3 Sep 2020 at 09:58, ‫אורי‬‎  wrote:‬

> Hi,
>
> To conclude, I think it would be better to change the number of iterations
> not every 8 months, but every 2 years (with a new LTS release).
>
> אורי
> u...@speedy.net
>
>
> On Thu, Sep 3, 2020 at 10:29 AM Florian Apolloner 
> wrote:
>
>> I do not think there is anything to reopen because it works as designed.
>> Password changes cause other browser sessions to be terminated because the
>> session auth hash no longer matches.  You can use a custom user model and
>> override `get_session_auth_hash` but the defaults won't change, sorry.
>>
>> On Thursday, September 3, 2020 at 4:56:13 AM UTC+2 Uri wrote:
>>
>>> Django developers,
>>>
>>> I would like to reopen #31970
>>> . In short, the problem is
>>> - if a user is logged in with more than one browser, and when we upgrade
>>> Django to any version which *PBKDF2PasswordHasher.iterations* changes
>>> (which is *any* new version), and then the user logs in again - this
>>> logs them out from all other browsers. I think this is a bug.
>>>
>>> I found out that this can be avoided by changing *def must_update*, for
>>> example if you change it to something like:
>>>
>>> def must_update(self, encoded):
>>> # Update the stored password only if the iterations diff is at least 
>>> 250,000.
>>> algorithm, iterations, salt, hash = encoded.split('$', 3)
>>> iterations_diff = abs(self.iterations - int(iterations))
>>> return ((int(iterations) != self.iterations) and (iterations_diff >= 
>>> 25))
>>>
>>> Or even simply:
>>>
>>> def must_update(self, encoded):
>>> return False
>>>
>>>
>>> אורי
>>> u...@speedy.net
>>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django developers (Contributions to Django itself)" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to django-developers+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-developers/87b16804-3da2-46b7-8ff5-466cd2f38aa2n%40googlegroups.com
>> 
>> .
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/CABD5YeHppQW8gc5-eg3-wN-7wSVXWumPvYVAZD5OTW9PnGtCTA%40mail.gmail.com
> 
> .
>


-- 
Adam

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAMyDDM25sCEJQ%3D%3DepSywBYBO8ftGTwG84MREpTMtfar_ZMsgxg%40mail.gmail.com.

Re: Logging in from one browser logs me out from other browsers (after any change in PBKDF2PasswordHasher.iterations)

[Carlton Gibson]

> On 3 Sep 2020, at 10:57, Tom Forbes  wrote:
> 
> You might have a point regarding the frequency of bumping the PBKDF iteration 
> setting. Is bumping it 5 times in 13 months really required?

It was more like 40 months. 

For 1.11: May 20, 2016
https://github.com/django/django/commit/1915a7e5c56d996b0e98decf8798c7f47ff04e76
 

 

For 3.1: Sep 12, 2019
https://github.com/django/django/commit/b5db65c4fbcf05cb03d039166abf115930dc7577
 

 

> On the other hand you might want to consider staying on the LTS releases and 
> avoid issues such as this...

The issue came up because of starting on the LTS and then wanting the new 
features… — You’re on the latest version now Uri, which is the good place to be 
(!) — so it’s once in 8 months you’re going to hit this.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CDB75A7C-BECB-4B50-8868-9155E09E9CFC%40gmail.com.

Re: Logging in from one browser logs me out from other browsers (after any change in PBKDF2PasswordHasher.iterations)

[אורי]

On Thu, Sep 3, 2020 at 11:57 AM Tom Forbes  wrote:

> You might have a point regarding the frequency of bumping the PBKDF
> iteration setting. Is bumping it 5 times in 13 months really required? On
> the other hand you might want to consider staying on the LTS releases and
> avoid issues such as this, and the issue you’re describing is quite niche.
>
> However, I would say that based on your previous posts to this mailing
> lists around authentication that you are definitely in need of some form of
> federated login/SSO for your several web properties. That would certainly
> alleviate this issue and some of the other problems you’ve reported here.
>

Thank you for your suggestions. I was not aware that upgrading to non-LTS
releases will log out users. It's good to know now.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CABD5YeE2tMF7eLAtCGEEXc0rXj_kYv0BWVcD63ffNvdOcQuVbg%40mail.gmail.com.

Re: Logging in from one browser logs me out from other browsers (after any change in PBKDF2PasswordHasher.iterations)

[אורי]

Hi,

To conclude, I think it would be better to change the number of iterations
not every 8 months, but every 2 years (with a new LTS release).

אורי
u...@speedy.net


On Thu, Sep 3, 2020 at 10:29 AM Florian Apolloner 
wrote:

> I do not think there is anything to reopen because it works as designed.
> Password changes cause other browser sessions to be terminated because the
> session auth hash no longer matches.  You can use a custom user model and
> override `get_session_auth_hash` but the defaults won't change, sorry.
>
> On Thursday, September 3, 2020 at 4:56:13 AM UTC+2 Uri wrote:
>
>> Django developers,
>>
>> I would like to reopen #31970
>> . In short, the problem is
>> - if a user is logged in with more than one browser, and when we upgrade
>> Django to any version which *PBKDF2PasswordHasher.iterations* changes
>> (which is *any* new version), and then the user logs in again - this
>> logs them out from all other browsers. I think this is a bug.
>>
>> I found out that this can be avoided by changing *def must_update*, for
>> example if you change it to something like:
>>
>> def must_update(self, encoded):
>> # Update the stored password only if the iterations diff is at least 
>> 250,000.
>> algorithm, iterations, salt, hash = encoded.split('$', 3)
>> iterations_diff = abs(self.iterations - int(iterations))
>> return ((int(iterations) != self.iterations) and (iterations_diff >= 
>> 25))
>>
>> Or even simply:
>>
>> def must_update(self, encoded):
>> return False
>>
>>
>> אורי
>> u...@speedy.net
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/87b16804-3da2-46b7-8ff5-466cd2f38aa2n%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CABD5YeHppQW8gc5-eg3-wN-7wSVXWumPvYVAZD5OTW9PnGtCTA%40mail.gmail.com.

Re: Logging in from one browser logs me out from other browsers (after any change in PBKDF2PasswordHasher.iterations)

[Tom Forbes]

You might have a point regarding the frequency of bumping the PBKDF iteration 
setting. Is bumping it 5 times in 13 months really required? On the other hand 
you might want to consider staying on the LTS releases and avoid issues such as 
this, and the issue you’re describing is quite niche.

However, I would say that based on your previous posts to this mailing lists 
around authentication that you are definitely in need of some form of federated 
login/SSO for your several web properties. That would certainly alleviate this 
issue and some of the other problems you’ve reported here.

Tom 

> On 3 Sep 2020, at 09:47, ⁨אורי⁩ <⁨u...@speedy.net⁩> wrote:
> 
> Hi,
> 
> On Thu, Sep 3, 2020 at 11:23 AM Shai Berger  > wrote:
> 
> Please be aware that this is a security issue. The passwords are
> encrypted as protection for the case that they fall into the hands of
> an attacker, but for this protection to be effective, it must stay hard
> and costly to brute-force them. The number of iterations is enlarged in
> order to keep this cost up with the improvements of available hardware.
> If you intend to keep a user's password un-updated for many years, it's
> almost as bad as keeping it in plaintext -- in 10-15 years, we'd expect
> the number of iterations in current Django to be grossly insufficient.
> 
> I don't intend to keep the settings of now for 10-15 years. But since I 
> launched Speedy Net in Django 1.11 in production 13 months ago, I upgraded to 
> 2.0, 2.1, 2.2, 3.0 and now 3.1. These are 5 major version upgrades in 13 
> months. I don't see a reason why the number of iterations should have changed 
> 5 times in 13 months. Even if I would upgrade Django every 8 months, I prefer 
> to keep the number of iterations and change it every 2-3 years, if this logs 
> out users. I'm not sure if I'll write a blog post, but you can see our patch 
> on GitHub:
> 
> https://github.com/speedy-net/speedy-net/blob/master/speedy/core/patches/session_patches.py
>  
> 
> 
> I wish I knew about this issue before and then I would have patched something 
> like this before, before causing this to change 5 times in production.
> 
> אורי.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to django-developers+unsubscr...@googlegroups.com 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/django-developers/CABD5YeFp_9btTbguvBDyUxCaaYcX4VD9thsddp7hdRqVL%2BJnuw%40mail.gmail.com
>  
> .

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/C8F40769-AC5B-41FE-8A17-BDACCC39CE2C%40tomforb.es.

Re: Logging in from one browser logs me out from other browsers (after any change in PBKDF2PasswordHasher.iterations)

[אורי]

Hi,

On Thu, Sep 3, 2020 at 11:23 AM Shai Berger  wrote:

>
> Please be aware that this is a security issue. The passwords are
> encrypted as protection for the case that they fall into the hands of
> an attacker, but for this protection to be effective, it must stay hard
> and costly to brute-force them. The number of iterations is enlarged in
> order to keep this cost up with the improvements of available hardware.
> If you intend to keep a user's password un-updated for many years, it's
> almost as bad as keeping it in plaintext -- in 10-15 years, we'd expect
> the number of iterations in current Django to be grossly insufficient.


I don't intend to keep the settings of now for 10-15 years. But since I
launched Speedy Net in Django 1.11 in production 13 months ago, I upgraded
to 2.0, 2.1, 2.2, 3.0 and now 3.1. These are 5 major version upgrades in 13
months. I don't see a reason why the number of iterations should have
changed 5 times in 13 months. Even if I would upgrade Django every 8
months, I prefer to keep the number of iterations and change it every 2-3
years, if this logs out users. I'm not sure if I'll write a blog post, but
you can see our patch on GitHub:

https://github.com/speedy-net/speedy-net/blob/master/speedy/core/patches/session_patches.py

I wish I knew about this issue before and then I would have patched
something like this before, before causing this to change 5 times in
production.

אורי.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CABD5YeFp_9btTbguvBDyUxCaaYcX4VD9thsddp7hdRqVL%2BJnuw%40mail.gmail.com.

Re: Logging in from one browser logs me out from other browsers (after any change in PBKDF2PasswordHasher.iterations)

[Shai Berger]

Hi Uri and all,

On Thu, 3 Sep 2020 08:37:42 +0100
Adam Johnson  wrote:

> I agree with Florian.
> 

Me too.

> The occasional forced logout is probably fine. If you care about this
> enough Uri, you could write a blog post documenting your patch and
> how to use it when upgrading Django.
> 

But:

> On Thu, 3 Sep 2020 at 08:29, Florian Apolloner 
> wrote:
> > On Thursday, September 3, 2020 at 4:56:13 AM UTC+2 Uri wrote:
> >>
> >> I found out that this can be avoided by changing *def
> >> must_update*, for example if you change it to something like:
> >>
> >> def must_update(self, encoded):
> >> # Update the stored password only if the iterations diff is at least 
> >> 250,000.
> >> algorithm, iterations, salt, hash = encoded.split('$', 3)
> >> iterations_diff = abs(self.iterations - int(iterations))
> >> return ((int(iterations) != self.iterations) and (iterations_diff >= 
> >> 25))
> >>
> >> Or even simply:
> >>
> >> def must_update(self, encoded):
> >> return False
> >>

Please be aware that this is a security issue. The passwords are
encrypted as protection for the case that they fall into the hands of
an attacker, but for this protection to be effective, it must stay hard
and costly to brute-force them. The number of iterations is enlarged in
order to keep this cost up with the improvements of available hardware.
If you intend to keep a user's password un-updated for many years, it's
almost as bad as keeping it in plaintext -- in 10-15 years, we'd expect
the number of iterations in current Django to be grossly insufficient.

HTH,
Shai.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/20200903112219.6be68094.shai%40platonix.com.

Re: Logging in from one browser logs me out from other browsers (after any change in PBKDF2PasswordHasher.iterations)

[Adam Johnson]

I agree with Florian.

The occasional forced logout is probably fine. If you care about this
enough Uri, you could write a blog post documenting your patch and how to
use it when upgrading Django.

On Thu, 3 Sep 2020 at 08:29, Florian Apolloner 
wrote:

> I do not think there is anything to reopen because it works as designed.
> Password changes cause other browser sessions to be terminated because the
> session auth hash no longer matches.  You can use a custom user model and
> override `get_session_auth_hash` but the defaults won't change, sorry.
>
> On Thursday, September 3, 2020 at 4:56:13 AM UTC+2 Uri wrote:
>
>> Django developers,
>>
>> I would like to reopen #31970
>> . In short, the problem is
>> - if a user is logged in with more than one browser, and when we upgrade
>> Django to any version which *PBKDF2PasswordHasher.iterations* changes
>> (which is *any* new version), and then the user logs in again - this
>> logs them out from all other browsers. I think this is a bug.
>>
>> I found out that this can be avoided by changing *def must_update*, for
>> example if you change it to something like:
>>
>> def must_update(self, encoded):
>> # Update the stored password only if the iterations diff is at least 
>> 250,000.
>> algorithm, iterations, salt, hash = encoded.split('$', 3)
>> iterations_diff = abs(self.iterations - int(iterations))
>> return ((int(iterations) != self.iterations) and (iterations_diff >= 
>> 25))
>>
>> Or even simply:
>>
>> def must_update(self, encoded):
>> return False
>>
>>
>> אורי
>> u...@speedy.net
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/87b16804-3da2-46b7-8ff5-466cd2f38aa2n%40googlegroups.com
> 
> .
>


-- 
Adam

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAMyDDM0-qCJ6ff%3DogR_E0xdvjn8LiWUMDJyNdCVhhmZ_%2Beu5%2Bg%40mail.gmail.com.

Re: Logging in from one browser logs me out from other browsers (after any change in PBKDF2PasswordHasher.iterations)

[Florian Apolloner]

I do not think there is anything to reopen because it works as designed. 
Password changes cause other browser sessions to be terminated because the 
session auth hash no longer matches.  You can use a custom user model and 
override `get_session_auth_hash` but the defaults won't change, sorry.

On Thursday, September 3, 2020 at 4:56:13 AM UTC+2 Uri wrote:

> Django developers,
>
> I would like to reopen #31970 
> . In short, the problem is - 
> if a user is logged in with more than one browser, and when we upgrade 
> Django to any version which *PBKDF2PasswordHasher.iterations* changes 
> (which is *any* new version), and then the user logs in again - this logs 
> them out from all other browsers. I think this is a bug.
>
> I found out that this can be avoided by changing *def must_update*, for 
> example if you change it to something like:
>
> def must_update(self, encoded):
> # Update the stored password only if the iterations diff is at least 
> 250,000.
> algorithm, iterations, salt, hash = encoded.split('$', 3)
> iterations_diff = abs(self.iterations - int(iterations))
> return ((int(iterations) != self.iterations) and (iterations_diff >= 
> 25))
>
> Or even simply:
>
> def must_update(self, encoded):
> return False
>
>
> אורי
> u...@speedy.net
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/87b16804-3da2-46b7-8ff5-466cd2f38aa2n%40googlegroups.com.