Re: Invalidating active sessions after a password change?

2014-01-29 Thread Альберт Тугушев
Btw i wrote reusable application for this subject. Here is the link if it could help to someone: https://github.com/alikus/django-password-session вторник, 2 октября 2012 г., 18:23:25 UTC+4 пользователь Dirley Rodrigues написал: > > I've recently discovered this issue with my django based

Re: Invalidating active sessions after a password change?

2012-10-03 Thread Dirley
So, thank you for the insights. I ended up with a solution that is a mix of what you've proposed here. Each time a user logs in, it's current *session validation token* is saved on the session. It is easy to code this using the `user_logged_in` signal. Then, I've changed the logic of the code

Re: Invalidating active sessions after a password change?

2012-10-03 Thread Cal Leeming [Simplicity Media Ltd]
Yeah, this debate is borderline silly now. OP, in a nut shell; 1) It is completely acceptable to revoke all other sessions after a password change 2) There are many ways to revoke sessions, pick one that is right for your use case. 3) Whether session revoking is enforced or optional is a choice

Re: Invalidating active sessions after a password change?

2012-10-03 Thread Tom Evans
On Tue, Oct 2, 2012 at 7:50 PM, Cal Leeming [Simplicity Media Ltd] wrote: > On Tue, Oct 2, 2012 at 5:23 PM, Tom Evans wrote: >> I did not say that it was not a desired feature, I said that >> *personally* I would not have that

Re: Invalidating active sessions after a password change?

2012-10-02 Thread Cal Leeming [Simplicity Media Ltd]
On Tue, Oct 2, 2012 at 9:45 PM, Dennis Lee Bieber wrote: > On Tue, 2 Oct 2012 17:23:01 +0100, Tom Evans > declaimed the following in gmane.comp.python.django.user: > > > > > I did not say that it was not a desired feature, I said that > >

Re: Invalidating active sessions after a password change?

2012-10-02 Thread Cal Leeming [Simplicity Media Ltd]
On Tue, Oct 2, 2012 at 5:23 PM, Tom Evans wrote: > On Tue, Oct 2, 2012 at 4:43 PM, Cal Leeming [Simplicity Media Ltd] > wrote: > > > > > > On Tue, Oct 2, 2012 at 3:51 PM, Tom Evans > wrote: > >> > >> On

Re: Invalidating active sessions after a password change?

2012-10-02 Thread Tom Evans
On Tue, Oct 2, 2012 at 4:43 PM, Cal Leeming [Simplicity Media Ltd] wrote: > > > On Tue, Oct 2, 2012 at 3:51 PM, Tom Evans wrote: >> >> On Tue, Oct 2, 2012 at 3:22 PM, Dirley wrote: >> > I've recently discovered

Re: Invalidating active sessions after a password change?

2012-10-02 Thread Cal Leeming [Simplicity Media Ltd]
Sorry, my previous reply looked like I was disagreeing with the OP, this is not the case. I was disagreeing with this comment; Sessions aren't tied to specific users, and so cannot easily be invalidated like that. Personally, I wouldn't have the expectation that changing my password would

Re: Invalidating active sessions after a password change?

2012-10-02 Thread Cal Leeming [Simplicity Media Ltd]
On Tue, Oct 2, 2012 at 3:51 PM, Tom Evans wrote: > On Tue, Oct 2, 2012 at 3:22 PM, Dirley wrote: > > I've recently discovered this issue with my django based application. > > > > When a users changes its password, its active sessions are not

Re: Invalidating active sessions after a password change?

2012-10-02 Thread Tom Evans
On Tue, Oct 2, 2012 at 3:22 PM, Dirley wrote: > I've recently discovered this issue with my django based application. > > When a users changes its password, its active sessions are not destroyed. > I mean, if a user is logged in two different places (or in two different >

Invalidating active sessions after a password change?

2012-10-02 Thread Dirley
I've recently discovered this issue with my django based application. When a users changes its password, its active sessions are not destroyed. I mean, if a user is logged in two different places (or in two different browsers) and changes its password on one place, the other session will still be