| | 202 | === Session fixation issue in password reset token === |
| | 203 | |
| | 204 | Hello, |
| | 205 | |
| | 206 | Thank you for your report. |
| | 207 | After review, based on the scenario described, this does not constitute a security vulnerability in Django. The attack relies on the application first introducing a session fixation condition by accepting or setting a user controlled session id. Issues that depend on an application allowing arbitrary session fixation fall outside Django's security policy. |
| | 208 | |
| | 209 | If there is interest in discussing whether the password reset flow could be further hardened in environments where a session is already compromised, that would be better handled as a public ticket so it can be discussed through the normal development process. |
| | 210 | |
| | 211 | Kind regards, The Django Security Team. |
| | 212 | |