#21649 closed New feature (fixed)
Add session signing based on the value of the user's password
| Reported by: | Tim Graham | Owned by: | Tim Graham |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Add another value ('_auth_user_hash', '<some hash stuff>') based on the HMAC of the user's password hash to session verification. This will have the benefit of allowing a user to log out their other sessions by changing the password. Of course, it should not log out the current session.
Change History (9)
comment:1 Changed 10 years ago by
| Has patch: | set |
|---|
comment:2 Changed 10 years ago by
I think in the past we've done work to preserve sessions across version upgrades. This of course has the downside of making the full benefit of the patch take an extra version to manifest. I personally don't mind sessions going away during upgrade, but I believe that some users of Django may not be comfortable with that.
I'd defer to Jacob or Luke or another conservative core dev. The upgrade code path shouldn't be too complex in this case.
comment:3 Changed 10 years ago by
| Patch needs improvement: | set |
|---|
Florian and Shai were both against losing sessions for this change. Shai suggested have a separate middleware for session signing & verification so that users who don't want this behavior can opt-out. I'll look into that approach.
comment:4 Changed 10 years ago by
| Patch needs improvement: | unset |
|---|
Here's an updated PR that uses the middleware approach suggested above.
comment:5 Changed 10 years ago by
| Triage Stage: | Accepted → Ready for checkin |
|---|
comment:6 Changed 10 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
PR is up for review.
One thing I'd like feedback on is whether we should try to make this more backwards-compatible. Currently: "As a side effect of this change, users will be logged out when upgrading from an older version of Django."