The attacker can have access to the password hash but no longer to the last 
login. if that same attacker is exploiting a vulnerability that gets 
patched just after (ex. Heartbleed) or has view on past data (ex. backups)

But if you can anyway craft a valid session cookie with the secret key 
(Which I didn't knew), this is totally useless.

Thanks you for the clarification !


You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To post to this group, send email to
Visit this group at
To view this discussion on the web visit
For more options, visit

Reply via email to