On Sun, Jan 8, 2012 at 2:57 PM, Arnoud van Heuvelen <avanheuve...@gmail.com> wrote: ... > 3) Save the password hash (or part of it) in the session and compare > it against our data. If the hash is not the same, the user needs to be > logged out. This wouldn't change the database, but the downside is > that this causes overhead on every request.
+1. 1) We need a way to handle existing sessions when upgrading to the new Django w/ this support. I think the most natural support for the validation is auth.get_user: https://code.djangoproject.com/browser/django/trunk/django/contrib/auth/__init__.py?rev=16539#L94 to check the hash before returning. 2) I don't think the user should be logged out of their own session when changing the password, and so we'd need to update the active session on its way back to the user. This is messier - we'd need to detect when the password changed (User.set_password called?) and update the related request session, if any. That may be best accomplished through a signal fired when the password is changed and handled in session. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
