So, thank you for the insights. I ended up with a solution that is a mix of what you've proposed here.
Each time a user logs in, it's current *session validation token* is saved on the session. It is easy to code this using the `user_logged_in` signal. Then, I've changed the logic of the code that extracts the *authenticated user* from the session. Now, it extracts the user and checks its token. If the token doesn't match or is missing, the session is flushed (maybe it should be deleted?) and the user is replaced by an instance of `AnonymousUser`. The only thing not defined here is how to calculate the token. I'm currently calculating it based on the user password, so when the user changes it's password, the token is automatically refreshed. A more adequate approach would be to save that token on an attribute of the user model or something, making it optional to refresh the token or not (like Facebook does it). An example of this implementation is available here: http://pastebin.com/jASA4v6K This is a quick and dirty solution. To use it, just call `session_invalidation.setup` during the app boot (you can call it from inside any installed app `models.py`). Note, though, that it does some things the wrong way: - It monekypatches `d.c.auth.get_user` to change it's logic and do the token-checking magic. This is ok for a quick and dirty solution, but a more sophisticated code would do it differently, maybe through middlewares. - It calculates the token based on the user's current password. When the user changes it's password, all it's active sessions are automatically invalidated. Even the current one (the one where the password change was done). I've managed to avoid this problem by calling `session_invalidation.reset_session_validation_token` after changing the password change, so the current session doesn't get invalidated. That's it. Thank you for the clues. - D -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
