#31179: Using the "forgot password" mechanism doesn't invalidate other sessions -------------------------------------+------------------------------------- Reporter: Mike Lissner | Owner: Rishabh | Verma Type: Bug | Status: closed Component: contrib.auth | Version: master Severity: Normal | Resolution: invalid Keywords: forgot password, | Triage Stage: Accepted reset password, sessions logs out | Has patch: 0 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 -------------------------------------+------------------------------------- Changes (by Marten Kenbeek):
* status: assigned => closed * resolution: => invalid Comment: Just updating the password is enough to invalidate all sessions. As you can see in [https://github.com/django/django/blob/7d8df4ad032c6241776c2b3ec6c76af9dd84fda3/django/contrib/auth/base_user.py#L123 User.get_session_auth_hash()], the session hash is an HMAC of the current password hash. Any session which does not have the correct session hash after the password has been updated is automatically discarded when accessed. What `update_session_auth_hash()` does is revalidate the ''current'' session, by saving the new session hash in it. This prevents that a logged in user has to log in again when they've just entered both their old and new passwords in the very same session. In `PasswordResetView`, the user is not expected to be logged in, so revalidating the session has no effect. -- Ticket URL: <https://code.djangoproject.com/ticket/31179#comment:3> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.e13dbea40278a8cb5270f89910b0b9f5%40djangoproject.com.