Re: [Django] #31179: Using the "forgot password" mechanism doesn't invalidate other sessions

2020-01-24 Thread Django 
#31179: Using the "forgot password" mechanism doesn't invalidate other sessions
-+-
 Reporter:  Mike Lissner |Owner:  Rishabh
 |  Verma
 Type:  Bug  |   Status:  closed
Component:  contrib.auth |  Version:  master
 Severity:  Normal   |   Resolution:  invalid
 Keywords:  forgot password, | Triage Stage:  Accepted
  reset password, sessions logs out  |
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Mike Lissner):

 Curious. I thought I reproduced it too, but perhaps I didn't do my test
 properly. I'm checking with the vulnerability reporter if he can reproduce
 it and will reopen if there's some subtlety we've missed (I suspect not!).

 Thanks for the response and sorry for taking your time.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.a7ace800f167bfa1e04ee8d0d2a9adf8%40djangoproject.com.

Re: [Django] #31179: Using the "forgot password" mechanism doesn't invalidate other sessions

2020-01-19 Thread Django 
#31179: Using the "forgot password" mechanism doesn't invalidate other sessions
-+-
 Reporter:  Mike Lissner |Owner:  Rishabh
 |  Verma
 Type:  Bug  |   Status:  closed
Component:  contrib.auth |  Version:  master
 Severity:  Normal   |   Resolution:  invalid
 Keywords:  forgot password, | Triage Stage:  Accepted
  reset password, sessions logs out  |
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Marten Kenbeek):

 * status:  assigned => closed
 * resolution:   => invalid


Comment:

 Just updating the password is enough to invalidate all sessions. As you
 can see in
 
[https://github.com/django/django/blob/7d8df4ad032c6241776c2b3ec6c76af9dd84fda3/django/contrib/auth/base_user.py#L123
 User.get_session_auth_hash()], the session hash is an HMAC of the current
 password hash. Any session which does not have the correct session hash
 after the password has been updated is automatically discarded when
 accessed.

 What `update_session_auth_hash()` does is revalidate the ''current''
 session, by saving the new session hash in it. This prevents that a logged
 in user has to log in again when they've just entered both their old and
 new passwords in the very same session.

 In `PasswordResetView`, the user is not expected to be logged in, so
 revalidating the session has no effect.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.e13dbea40278a8cb5270f89910b0b9f5%40djangoproject.com.

Re: [Django] #31179: Using the "forgot password" mechanism doesn't invalidate other sessions

2020-01-19 Thread Django 
#31179: Using the "forgot password" mechanism doesn't invalidate other sessions
-+-
 Reporter:  Mike Lissner |Owner:  Rishabh
 |  Verma
 Type:  Bug  |   Status:  assigned
Component:  contrib.auth |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:  forgot password, | Triage Stage:  Accepted
  reset password, sessions logs out  |
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Rishabh Verma):

 * keywords:   => forgot password, reset password, sessions logs out


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.97367a4edb4bd6ab14150c1a933bcd15%40djangoproject.com.

Re: [Django] #31179: Using the "forgot password" mechanism doesn't invalidate other sessions

2020-01-19 Thread Django 
#31179: Using the "forgot password" mechanism doesn't invalidate other sessions
--+-
 Reporter:  Mike Lissner  |Owner:  Rishabh Verma
 Type:  Bug   |   Status:  assigned
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+-
Changes (by Rishabh Verma):

 * owner:  nobody => Rishabh Verma
 * status:  new => assigned
 * stage:  Unreviewed => Accepted


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.549cb456d54ad9bf5dcd6485275b9811%40djangoproject.com.