Op dinsdag 10 januari 2012 03:56:04 UTC+1 schreef Sergiy het volgende: > > I'm not sure that invalidating session based on last password change is > the right thing to do. If the password has been compromised, this > effectively enables an active attacker to deny access to the legitimate > user. In case of Django admin site this can be quite disruptive as there is > no password recovery option by default. And if superuser password has been > stolen, it takes only few clicks to create another superuser account or to > grant someone superuser privileges. Password change seems to be a rather > weak defense in this case. > I see your point. However, if a malicious user would change the password, *at least* the original user would be logged out and not be able to log in again. Now, that user knows something is going on and can notify a server admin who can reset the password using the admin system or manage.py.
With the current logic, the password might get changed by a malicious user and the original user will not notice this until they log out. It is the same problem, but this makes it a lot harder to trace what happened since we don't know when the password was last changed. I agree that this is a somewhat weak defense, but I think that it's more effective than the current logic. The plus side is that it would be fairly easy to implement. > Session invalidation based on password change would only be effective is > someone is passively spying using a compromised password. > This is not entirely true. The implementation would be a huge help when a user forgets to log out on a public computer. It would at least give us * some* control over the sessions being in use. Besides decoding all the sessions in the database and deleting the ones that are tied to our account. I agree that it would be better to have a more feature-rich session management system that allows us to invalidate sessions based on user, IP, log in date etc. But that would be a much bigger change to the code-base and almost certainly involve some database changes. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-developers/-/g2Qg4NiJOKYJ. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.