Changes between Initial Version and Version 1 of Ticket #28285


Ignore:
Timestamp:
Jun 8, 2017, 12:46:41 PM (8 years ago)
Author:
Tim Graham
Comment:

Here's my understanding of the scenario:

  1. User X logs in and creates session A
  2. Number of hash iterations changes in Django due to a software upgrade
  3. Session A is still valid at this point
  4. For whatever reason (using a different browser perhaps), user X logs in and creates session B, triggering a password hash upgrade and an invalidation of session A

I don't think there's a way to keep session A valid is this scenario. Am I misunderstanding something?

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #28285 – Description

    initial v1  
    1 The code below, from contrib.auth.base_user.py, says "hash upgrade is not a password change"
     1The code below, from `contrib.auth.base_user.py`, says "hash upgrade is not a password change"
    22
    33{{{
     
    1616
    1717
    18 but the code in contrib.auth.__init__.py/get_user()
     18but the code in `contrib.auth.get_user()` verifies the session by comparing a salted hmac of the password hash to the same thing stored in the session.
    1919
    20 verifies the session by comparing a salted hmac of the password hash to the same thing stored in the session.
    21 
    22 If we update the password hash the salted hmac will change. Therefore, the session will no longer be considered valid and will be flushed. We can keep the session alive by updating the HASH_SESSION_KEY in request.session e.g. via the update_session_auth_hash() function. But this is not called by the setter function when the hasher is updated.
     20If we update the password hash the salted hmac will change. Therefore, the session will no longer be considered valid and will be flushed. We can keep the session alive by updating the `HASH_SESSION_KEY` in `request.session` e.g. via the `update_session_auth_hash()` function. But this is not called by the setter function when the hasher is updated.
    2321
    2422So the first time the user logs (with the correct password) following an upgrade, their (valid) session will be flushed and they will be logged out again.
    25 
    26 
    27 
Back to Top