Hi, I recently ran into a minor security issue with Django Auth. Currently, when a user changes their password, the user will stay logged in on all open sessions.
This is a problem when a password is compromised. The user will change their password and be confident that the problem is solved. However, if the compromised password has already been used to log in on another browser session there are no changes to that session. I understand that this could be seen as a responsibility for the developer building the Django application. However, as far as I know Django doesn't come with an out-of-the-box 'log out everything' option. It does come with a change password feature. But with the current implementation this feature is near-useless when the password has already been used to log in by a malicious user. With a default installation, it will not be possible to easily log out your other sessions. I'm proposing that by default, Django Auth (Or at least the admin system.) should log out all sessions, except the one the user is currently changing the password in. Thoughts? Arnoud -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
