Fixed #27009 -- Made update_session_auth_hash() rotate the session key.

django/contrib/auth/__init__.py

@@ -215,6 +215,7 @@ def update_session_auth_hash(request, user):
     appropriately to prevent a password change from logging out the session
     from which the password was changed.
     """
+    request.session.cycle_key()
     if hasattr(user, 'get_session_auth_hash') and request.user == user:
         request.session[HASH_SESSION_KEY] = user.get_session_auth_hash()
 

docs/releases/1.11.txt

@@ -84,6 +84,9 @@ Minor features
   :class:`~django.contrib.auth.views.PasswordResetConfirmView` allows
   automatically logging in a user after a successful password reset.
 
+* :func:`~django.contrib.auth.update_session_auth_hash` now rotates the session
+  key to allow a password change to invalidate stolen session cookies.
+
 :mod:`django.contrib.contenttypes`
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

docs/topics/auth/default.txt

@@ -841,16 +841,16 @@ The default password change views included with Django,
 the session with the new password hash so that a user changing their own
 password won't log themselves out. If you have a custom password change view
 and wish to have similar behavior, use the :func:`update_session_auth_hash`
-function. In this case, however, if a user also wants to invalidate the session
+function.
-from which they're changing their password (for example, if they believe the
-session cookie on their machine was stolen), then they also need to log out
-that session.
 
 .. function:: update_session_auth_hash(request, user)
 
     This function takes the current request and the updated user object from
     which the new session hash will be derived and updates the session hash
-    appropriately. Example usage::
+    appropriately. It also rotates the session key so that a stolen session
+    cookie will be invalidated.
+
+    Example usage::
 
         from django.contrib.auth import update_session_auth_hash
 
@@ -863,6 +863,10 @@ that session.
             else:
                 ...
 
+    .. versionchanged:: 1.11
+
+        Rotating of the session key was added.
+
 .. note::
 
     Since

tests/auth_tests/test_views.py

@@ -479,6 +479,7 @@ class SessionAuthenticationTests(AuthViewsTestCase):
         session auth hash after a password change so the session isn't logged out.
         """
         self.login()
+        original_session_key = self.client.session.session_key
         response = self.client.post('/password_change/', {
             'old_password': 'password',
             'new_password1': 'password1',
@@ -486,6 +487,8 @@ class SessionAuthenticationTests(AuthViewsTestCase):
         })
         # if the hash isn't updated, retrieving the redirection page will fail.
         self.assertRedirects(response, '/password_change/done/')
+        # The session key is rotated.
+        self.assertNotEqual(original_session_key, self.client.session.session_key)
 
 
 class LoginTest(AuthViewsTestCase):