Hi, To conclude, I think it would be better to change the number of iterations not every 8 months, but every 2 years (with a new LTS release).
אורי u...@speedy.net On Thu, Sep 3, 2020 at 10:29 AM Florian Apolloner <f.apollo...@gmail.com> wrote: > I do not think there is anything to reopen because it works as designed. > Password changes cause other browser sessions to be terminated because the > session auth hash no longer matches. You can use a custom user model and > override `get_session_auth_hash` but the defaults won't change, sorry. > > On Thursday, September 3, 2020 at 4:56:13 AM UTC+2 Uri wrote: > >> Django developers, >> >> I would like to reopen #31970 >> <https://code.djangoproject.com/ticket/31970>. In short, the problem is >> - if a user is logged in with more than one browser, and when we upgrade >> Django to any version which *PBKDF2PasswordHasher.iterations* changes >> (which is *any* new version), and then the user logs in again - this >> logs them out from all other browsers. I think this is a bug. >> >> I found out that this can be avoided by changing *def must_update*, for >> example if you change it to something like: >> >> def must_update(self, encoded): >> # Update the stored password only if the iterations diff is at least >> 250,000. >> algorithm, iterations, salt, hash = encoded.split('$', 3) >> iterations_diff = abs(self.iterations - int(iterations)) >> return ((int(iterations) != self.iterations) and (iterations_diff >= >> 250000)) >> >> Or even simply: >> >> def must_update(self, encoded): >> return False >> >> >> אורי >> u...@speedy.net >> > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/87b16804-3da2-46b7-8ff5-466cd2f38aa2n%40googlegroups.com > <https://groups.google.com/d/msgid/django-developers/87b16804-3da2-46b7-8ff5-466cd2f38aa2n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CABD5YeHppQW8gc5-eg3-wN-7wSVXWumPvYVAZD5OTW9PnGtCTA%40mail.gmail.com.
