#31179: Using the "forgot password" mechanism doesn't invalidate other sessions
-------------------------------------+-------------------------------------
Reporter: Mike Lissner | Owner: Rishabh
| Verma
Type: Bug | Status: closed
Component: contrib.auth | Version: master
Severity: Normal | Resolution: invalid
Keywords: forgot password, | Triage Stage: Accepted
reset password, sessions logs out |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Marten Kenbeek):
* status: assigned => closed
* resolution: => invalid
Comment:
Just updating the password is enough to invalidate all sessions. As you
can see in
[https://github.com/django/django/blob/7d8df4ad032c6241776c2b3ec6c76af9dd84fda3/django/contrib/auth/base_user.py#L123
User.get_session_auth_hash()], the session hash is an HMAC of the current
password hash. Any session which does not have the correct session hash
after the password has been updated is automatically discarded when
accessed.
What `update_session_auth_hash()` does is revalidate the ''current''
session, by saving the new session hash in it. This prevents that a logged
in user has to log in again when they've just entered both their old and
new passwords in the very same session.
In `PasswordResetView`, the user is not expected to be logged in, so
revalidating the session has no effect.
--
Ticket URL: <https://code.djangoproject.com/ticket/31179#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/066.e13dbea40278a8cb5270f89910b0b9f5%40djangoproject.com.
