Op dinsdag 10 januari 2012 03:56:04 UTC+1 schreef Sergiy het volgende:
>
> I'm not sure that invalidating session based on last password change is
> the right thing to do. If the password has been compromised, this
> effectively enables an active attacker to deny access to the legitimate
> user.
Well, as far as I see it, we have a number of options. These are some
I could come up with, but maybe someone else has a better idea:
1) Save the user_id with the session. This is probably not convenient,
because it might conflict with other applications that use the session
package. Of course we
Hi,
I recently ran into a minor security issue with Django Auth.
Currently, when a user changes their password, the user will stay
logged in on all open sessions.
This is a problem when a password is compromised. The user will change
their password and be confident that the problem is solved. How
