Re: Proposal: Logout user when they change their password.

Sat, 07 Jan 2012 10:09:29 -0800 

Hi,
          Yes. I agree with Arnoud. I have always felt a need to have such
a implementation with the default installation. I feel the auth system
should provide an in-built logout all sessions feature otherwise as
mentioned can comprimise heavily on the security if the developer doesnt
take care of it explicitly.



On 7 January 2012 23:01, Arnoud van Heuvelen <avanheuve...@gmail.com> wrote:

> Hi,
>
> I recently ran into a minor security issue with Django Auth.
> Currently, when a user changes their password, the user will stay
> logged in on all open sessions.
>
> This is a problem when a password is compromised. The user will change
> their password and be confident that the problem is solved. However,
> if the compromised password has already been used to log in on another
> browser session there are no changes to that session.
>
> I understand that this could be seen as a responsibility for the
> developer building the Django application. However, as far as I know
> Django doesn't come with an out-of-the-box 'log out everything'
> option. It does come with a change password feature. But with the
> current implementation this feature is near-useless when the password
> has already been used to log in by a malicious user.
>
> With a default installation, it will not be possible to easily log out
> your other sessions. I'm proposing that by default, Django Auth (Or at
> least the admin system.) should log out all sessions, except the one
> the user is currently changing the password in.
>
> Thoughts?
>
> Arnoud
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers" group.
> To post to this group, send email to django-developers@googlegroups.com.
> To unsubscribe from this group, send email to
> django-developers+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-developers?hl=en.
>
>
Karthik Abinav,

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Reply via email to