Clarified session verification with respect to the current session.

This commit is contained in:
Tim Graham 2016-08-03 15:16:43 -04:00
parent 6b83f61e72
commit 4c2a6fe75b
1 changed files with 11 additions and 5 deletions

View File

@ -810,6 +810,8 @@ user to the login page or issue an HTTP 403 Forbidden response.
redirects the user to the ``login_url``, optionally including the redirects the user to the ``login_url``, optionally including the
``redirect_field_name`` if it is set. ``redirect_field_name`` if it is set.
.. currentmodule:: django.contrib.auth
.. _session-invalidation-on-password-change: .. _session-invalidation-on-password-change:
Session invalidation on password change Session invalidation on password change
@ -829,16 +831,20 @@ If your :setting:`AUTH_USER_MODEL` inherits from
:meth:`~django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash()` :meth:`~django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash()`
method, authenticated sessions will include the hash returned by this function. method, authenticated sessions will include the hash returned by this function.
In the :class:`~django.contrib.auth.models.AbstractBaseUser` case, this is an In the :class:`~django.contrib.auth.models.AbstractBaseUser` case, this is an
HMAC of the password field. Django verifies that the hash sent along with each HMAC of the password field. Django verifies that the hash in the session for
request matches the one that's computed server-side. This allows a user to log each request matches the one that's computed during the request. This allows a
out all of their sessions by changing their password. user to log out all of their sessions by changing their password.
The default password change views included with Django, The default password change views included with Django,
:class:`django.contrib.auth.views.PasswordChangeView` and the :class:`~django.contrib.auth.views.PasswordChangeView` and the
``user_change_password`` view in the :mod:`django.contrib.auth` admin, update ``user_change_password`` view in the :mod:`django.contrib.auth` admin, update
the session with the new password hash so that a user changing their own the session with the new password hash so that a user changing their own
password won't log themselves out. If you have a custom password change view password won't log themselves out. If you have a custom password change view
and wish to have similar behavior, use this function: and wish to have similar behavior, use the :func:`update_session_auth_hash`
function. In this case, however, if a user also wants to invalidate the session
from which they're changing their password (for example, if they believe the
session cookie on their machine was stolen), then they also need to log out
that session.
.. function:: update_session_auth_hash(request, user) .. function:: update_session_auth_hash(request, user)