The attacker can have access to the password hash but no longer to the last login. if that same attacker is exploiting a vulnerability that gets patched just after (ex. Heartbleed) or has view on past data (ex. backups)
But if you can anyway craft a valid session cookie with the secret key (Which I didn't knew), this is totally useless. Thanks you for the clarification ! Alex -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/da8f1bc6-5af8-47da-8a2e-f834cc17d382%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.