Btw i wrote reusable application for this subject. Here is the link if it could help to someone:
-- https://github.com/alikus/django-password-session
вторник, 2 октября 2012 г., 18:23:25 UTC+4 пользователь Dirley Rodrigues написал:
вторник, 2 октября 2012 г., 18:23:25 UTC+4 пользователь Dirley Rodrigues написал:
I've recently discovered this issue with my django based application.
When a users changes its password, its active sessions are not destroyed.
I mean, if a user is logged in two different places (or in two different
browsers) and changes its password on one place, the other session will still
be active.
I think this is an issue. If a user thinks his password has been stolen,
he'll naturally change his password in the hope that this action will revoke
the robber's undue access to his account. It's kinda "expected" that after a
password change, everyone with your old password will not be allowed to login.
But as far as I can tell, this has been the default behaviour for a long time
and no one ever bothered. So, am I missing something? Maybe my specific
setup (I changed my auth backend a little bit) is problematic?
- D
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/988d1e6e-7e26-42b9-b14f-33f1032b491f%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
No comments:
Post a Comment