All geek questions in one place

Django: How to destroy user session after password reset / change?

I recently implemented a simple password lookup with a password in my django project. The fact is that the old session should be destroyed for security reasons. What is the best way to do this without asking the user to log in again.

I think I can just exit / enter it, something like this:

from django.contrib.auth import login as auth_login from django.contrib.auth import logout as auth_logout @login_required def change_password(request): # My stuff request.user.set_password(new_password) request.user.save() # I need this: logout(request) login(request,request.user)

But I think this is not a good idea. What do you think?

Is there any other way to do this?

Am I missing something? (I mean, it's safe)

+4
source share
4 answers

Take a look at this app https://github.com/atugushev/django-password-session . This package invalidates all sessions (except the current session) after changing the password.

Also, this feature was finally implemented in Django 1.7. See: https://docs.djangoproject.com/en/dev/topics/auth/default/#session-invalidation-on-password-change

+3
source

I just found out that now it is a built-in Django function, and since 1.7:

https://docs.djangoproject.com/en/1.7/topics/auth/default/#session-invalidation-on-password-change

Essentially, all sessions now include a user password hash, so if a user ever changes their password, all their existing sessions automatically become invalid.

So, a short answer to your question: upgrade django.

One of the possible unwanted side effects of this change is that by default the user has to register again as soon as they change their password. That way, you probably really want the current user session to remain on. See Documents already linked, Django built-in views for changing a password do this by default or you can manually call a function called update_session_auth_hash

+2
source

django clears the session upon logout, so you'll be fine:

https://docs.djangoproject.com/en/dev/topics/auth/#django.contrib.auth.logout

When you call logout (), the session data for the current request is completely cleared. All existing data is deleted. This is to ensure that the other person cannot use the same web browser to log in and access previous user session data.

+1
source

I do not understand what are these security reasons that lead to a reset session. But, the way:

 @login_required def change_password(request): request.user.set_password(new_password) request.user.save() username = request.user.username logout(request) user = authenticate(username=username, password=new_password) #<-- here!! if user is not None: login(request,user) else: #raise your exception

You must be authenticated before logging in. Quote doc:

Call authentication () first When you manually register a user, you must call authenticate () before calling login (). authentication () sets an attribute for the user that indicates which authentication server has successfully authenticated this user (see the documentation for basic documents for more information), and this information is needed later during the process login.

+1
source

Source: https://habr.com/ru/post/1399094/

More articles:


All Articles