id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
28285	Updating Password Hasher Invalidates Users First Login After Upgrade	Simon Blanchard	nobody	"The code below, from `contrib.auth.base_user.py`, says ""hash upgrade is not a password change""

{{{
    def check_password(self, raw_password):
        """"""
        Return a boolean of whether the raw_password was correct. Handles
        hashing formats behind the scenes.
        """"""
        def setter(raw_password):
            self.set_password(raw_password)
            # Password hash upgrades shouldn't be considered password changes.
            self._password = None
            self.save(update_fields=[""password""])
        return check_password(raw_password, self.password, setter)
}}}


but the code in `contrib.auth.get_user()` verifies the session by comparing a salted hmac of the password hash to the same thing stored in the session.

If we update the password hash the salted hmac will change. Therefore, the session will no longer be considered valid and will be flushed. We can keep the session alive by updating the `HASH_SESSION_KEY` in `request.session` e.g. via the `update_session_auth_hash()` function. But this is not called by the setter function when the hasher is updated.

So the first time the user logs (with the correct password) following an upgrade, their (valid) session will be flushed and they will be logged out again."	Bug	closed	contrib.auth	1.11	Normal	worksforme			Unreviewed	0	0	0	0	0	0