Using the "forgot password" mechanism doesn't invalidate other sessions

[Mike Lissner]

(I don't think this is enough of a vuln to not file publicly, since no way to really take advantage of it.)

We just received a vulnerability report that when a user learns that their account has been hijacked, forgets their password, and uses the "Forgot Password" link, Django doesn't invalidate the hijacked cookies, despite the user just changing their password.

Django *does* invalidate cookies when passwords are reset via other mechanisms, but not when they're done this way.

I haven't tested this, but I think a one-line patch could be added here:

​https://github.com/django/django/blob/master/django/contrib/auth/views.py#L300-L305

I *think* we just need to add:

update_session_auth_hash(self.request, form.user)

And that might do it?

[Marten Kenbeek]

Just updating the password is enough to invalidate all sessions. As you can see in ​User.get_session_auth_hash(), the session hash is an HMAC of the current password hash. Any session which does not have the correct session hash after the password has been updated is automatically discarded when accessed.

What update_session_auth_hash() does is revalidate the current session, by saving the new session hash in it. This prevents that a logged in user has to log in again when they've just entered both their old and new passwords in the very same session.

In PasswordResetView, the user is not expected to be logged in, so revalidating the session has no effect.

[Mike Lissner]

Curious. I thought I reproduced it too, but perhaps I didn't do my test properly. I'm checking with the vulnerability reporter if he can reproduce it and will reopen if there's some subtlety we've missed (I suspect not!).

Thanks for the response and sorry for taking your time.