Opened 9 years ago
Closed 9 years ago
#27009 closed Cleanup/optimization (fixed)
Make update_session_auth_hash() rotate the session key
| Reported by: | Tim Graham | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | 1.10 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
If contrib.auth.update_session_auth_hash() rotates the session key, this invalidates stolen session cookies upon a password change.
Note:
See TracTickets
for help on using tickets.
PR