Btw i wrote reusable application for this subject. Here is the link if it could help to someone: https://github.com/alikus/django-password-session
вторник, 2 октября 2012 г., 18:23:25 UTC+4 пользователь Dirley Rodrigues написал: > > I've recently discovered this issue with my django based application. > > When a users changes its password, its active sessions are not destroyed. > I mean, if a user is logged in two different places (or in two different > browsers) and changes its password on one place, the other session will > still > be active. > > I think this is an issue. If a user thinks his password has been stolen, > he'll naturally change his password in the hope that this action will > revoke > the robber's undue access to his account. It's kinda "expected" that after > a > password change, everyone with your old password will not be allowed to > login. > > But as far as I can tell, this has been the default behaviour for a long > time > and no one ever bothered. So, am I missing something? Maybe my specific > setup (I changed my auth backend a little bit) is problematic? > > - D > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/988d1e6e-7e26-42b9-b14f-33f1032b491f%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
