On Tue, Jan 10, 2012 at 4:18 PM, Arnoud van Heuvelen
<avanheuve...@gmail.com> wrote:
> I see your point. However, if a malicious user would change the password, at
> least the original user would be logged out and not be able to log in again.
> Now, that user knows something is going on and can notify a server admin who
> can reset the password using the admin system or manage.py.
>
> With the current logic, the password might get changed by a malicious user
> and the original user will not notice this until they log out. It is the
> same problem, but this makes it a lot harder to trace what happened since we
> don't know when the password was last changed.
>
> I agree that this is a somewhat weak defense, but I think that it's more
> effective than the current logic. The plus side is that it would be fairly
> easy to implement.
>
>>
>> Session invalidation based on password change would only be effective is
>> someone is passively spying using a compromised password.
>
>
> This is not entirely true. The implementation would be a huge help when a
> user forgets to log out on a public computer. It would at least give us some
> control over the sessions being in use. Besides decoding all the sessions in
> the database and deleting the ones that are tied to our account.
>
> I agree that it would be better to have a more feature-rich session
> management system that allows us to invalidate sessions based on user, IP,
> log in date etc. But that would be a much bigger change to the code-base and
> almost certainly involve some database changes.
>
This is achievable with very little work, and no changes to core. We
implemented this feature for different reasons, but I see no reason
why you cannot make it do what you wanted it to do.
Basically:
Use a database session backend.
Define a new model for holding session references:
class SessionAudit(models.Model):
user = models.ForeignKey(User)
session = models.ForeignKey(django.contrib.sessions.models.Session)
ip_address = models.IPAddressField()
user_agent = models.TextField()
modified = models.DateTimeField(auto_now=True,)
created = models.DateTimeField(auto_now_add=True,)
Hook into django.contrib.auth.signals.{user_logged_in,user_logged_out}
and {create,remove} SessionAudit objects appropriately.
You now have, linked to the user, a list of their active sessions. If
you need to log out all but the current session, you simply need to
destroy the appropriate Sessions, as found from the SessionAudit
model.
As a final bit of clean up, when you destroy your sessions, you should
also destroy the related SessionAudit.
If you want to talk more about this approach, I think we are firmly in
django-users@ ground now, as this is simple BI.
Cheers
Tom
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
