I'm not sure that invalidating session based on last password change is the right thing to do. If the password has been compromised, this effectively enables an active attacker to deny access to the legitimate user. In case of Django admin site this can be quite disruptive as there is no password recovery option by default. And if superuser password has been stolen, it takes only few clicks to create another superuser account or to grant someone superuser privileges. Password change seems to be a rather weak defense in this case.
Session invalidation based on password change would only be effective is someone is passively spying using a compromised password. Cheers Sergiy -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
