Clarified session verification with respect to the current session.
This commit is contained in:
parent
6b83f61e72
commit
4c2a6fe75b
|
@ -810,6 +810,8 @@ user to the login page or issue an HTTP 403 Forbidden response.
|
||||||
redirects the user to the ``login_url``, optionally including the
|
redirects the user to the ``login_url``, optionally including the
|
||||||
``redirect_field_name`` if it is set.
|
``redirect_field_name`` if it is set.
|
||||||
|
|
||||||
|
.. currentmodule:: django.contrib.auth
|
||||||
|
|
||||||
.. _session-invalidation-on-password-change:
|
.. _session-invalidation-on-password-change:
|
||||||
|
|
||||||
Session invalidation on password change
|
Session invalidation on password change
|
||||||
|
@ -829,16 +831,20 @@ If your :setting:`AUTH_USER_MODEL` inherits from
|
||||||
:meth:`~django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash()`
|
:meth:`~django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash()`
|
||||||
method, authenticated sessions will include the hash returned by this function.
|
method, authenticated sessions will include the hash returned by this function.
|
||||||
In the :class:`~django.contrib.auth.models.AbstractBaseUser` case, this is an
|
In the :class:`~django.contrib.auth.models.AbstractBaseUser` case, this is an
|
||||||
HMAC of the password field. Django verifies that the hash sent along with each
|
HMAC of the password field. Django verifies that the hash in the session for
|
||||||
request matches the one that's computed server-side. This allows a user to log
|
each request matches the one that's computed during the request. This allows a
|
||||||
out all of their sessions by changing their password.
|
user to log out all of their sessions by changing their password.
|
||||||
|
|
||||||
The default password change views included with Django,
|
The default password change views included with Django,
|
||||||
:class:`django.contrib.auth.views.PasswordChangeView` and the
|
:class:`~django.contrib.auth.views.PasswordChangeView` and the
|
||||||
``user_change_password`` view in the :mod:`django.contrib.auth` admin, update
|
``user_change_password`` view in the :mod:`django.contrib.auth` admin, update
|
||||||
the session with the new password hash so that a user changing their own
|
the session with the new password hash so that a user changing their own
|
||||||
password won't log themselves out. If you have a custom password change view
|
password won't log themselves out. If you have a custom password change view
|
||||||
and wish to have similar behavior, use this function:
|
and wish to have similar behavior, use the :func:`update_session_auth_hash`
|
||||||
|
function. In this case, however, if a user also wants to invalidate the session
|
||||||
|
from which they're changing their password (for example, if they believe the
|
||||||
|
session cookie on their machine was stolen), then they also need to log out
|
||||||
|
that session.
|
||||||
|
|
||||||
.. function:: update_session_auth_hash(request, user)
|
.. function:: update_session_auth_hash(request, user)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue