Re: Logging in from one browser logs me out from other browsers (after any change in PBKDF2PasswordHasher.iterations)

2020-09-03 Thread Florian Apolloner
On Thursday, September 3, 2020 at 11:10:39 AM UTC+2 Adam Johnson wrote: > You could also move to use the Argon2 hasher, which does not have any > chagnes between versions to log out users: > https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#using-argon2-with-django > Or a custom

Re: Logging in from one browser logs me out from other browsers (after any change in PBKDF2PasswordHasher.iterations)

2020-09-03 Thread Adam Johnson
You could also move to use the Argon2 hasher, which does not have any chagnes between versions to log out users: https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#using-argon2-with-django It's also considered more secure. As the docs say: Argon2 is not the default for Django because

Re: Logging in from one browser logs me out from other browsers (after any change in PBKDF2PasswordHasher.iterations)

2020-09-03 Thread Carlton Gibson
> On 3 Sep 2020, at 10:57, Tom Forbes wrote: > > You might have a point regarding the frequency of bumping the PBKDF iteration > setting. Is bumping it 5 times in 13 months really required? It was more like 40 months. For 1.11: May 20, 2016

Re: Logging in from one browser logs me out from other browsers (after any change in PBKDF2PasswordHasher.iterations)

2020-09-03 Thread אורי
On Thu, Sep 3, 2020 at 11:57 AM Tom Forbes wrote: > You might have a point regarding the frequency of bumping the PBKDF > iteration setting. Is bumping it 5 times in 13 months really required? On > the other hand you might want to consider staying on the LTS releases and > avoid issues such as

Re: Logging in from one browser logs me out from other browsers (after any change in PBKDF2PasswordHasher.iterations)

2020-09-03 Thread אורי
Hi, To conclude, I think it would be better to change the number of iterations not every 8 months, but every 2 years (with a new LTS release). אורי u...@speedy.net On Thu, Sep 3, 2020 at 10:29 AM Florian Apolloner wrote: > I do not think there is anything to reopen because it works as

Re: Logging in from one browser logs me out from other browsers (after any change in PBKDF2PasswordHasher.iterations)

2020-09-03 Thread Tom Forbes
You might have a point regarding the frequency of bumping the PBKDF iteration setting. Is bumping it 5 times in 13 months really required? On the other hand you might want to consider staying on the LTS releases and avoid issues such as this, and the issue you’re describing is quite niche.

Re: Logging in from one browser logs me out from other browsers (after any change in PBKDF2PasswordHasher.iterations)

2020-09-03 Thread אורי
Hi, On Thu, Sep 3, 2020 at 11:23 AM Shai Berger wrote: > > Please be aware that this is a security issue. The passwords are > encrypted as protection for the case that they fall into the hands of > an attacker, but for this protection to be effective, it must stay hard > and costly to

Re: Logging in from one browser logs me out from other browsers (after any change in PBKDF2PasswordHasher.iterations)

2020-09-03 Thread Shai Berger
Hi Uri and all, On Thu, 3 Sep 2020 08:37:42 +0100 Adam Johnson wrote: > I agree with Florian. > Me too. > The occasional forced logout is probably fine. If you care about this > enough Uri, you could write a blog post documenting your patch and > how to use it when upgrading Django. > But:

Re: Logging in from one browser logs me out from other browsers (after any change in PBKDF2PasswordHasher.iterations)

2020-09-03 Thread Adam Johnson
I agree with Florian. The occasional forced logout is probably fine. If you care about this enough Uri, you could write a blog post documenting your patch and how to use it when upgrading Django. On Thu, 3 Sep 2020 at 08:29, Florian Apolloner wrote: > I do not think there is anything to reopen

Re: Logging in from one browser logs me out from other browsers (after any change in PBKDF2PasswordHasher.iterations)

2020-09-03 Thread Florian Apolloner
I do not think there is anything to reopen because it works as designed. Password changes cause other browser sessions to be terminated because the session auth hash no longer matches. You can use a custom user model and override `get_session_auth_hash` but the defaults won't change, sorry.

Logging in from one browser logs me out from other browsers (after any change in PBKDF2PasswordHasher.iterations)

2020-09-02 Thread אורי
Django developers, I would like to reopen #31970 . In short, the problem is - if a user is logged in with more than one browser, and when we upgrade Django to any version which *PBKDF2PasswordHasher.iterations* changes (which is *any* new version), and