Hi,
Yes. I agree with Arnoud. I have always felt a need to have such
a implementation with the default installation. I feel the auth system
should provide an in-built logout all sessions feature otherwise as
mentioned can comprimise heavily on the security if the developer doesnt
take care of it explicitly.
On 7 January 2012 23:01, Arnoud van Heuvelen <[email protected]> wrote:
> Hi,
>
> I recently ran into a minor security issue with Django Auth.
> Currently, when a user changes their password, the user will stay
> logged in on all open sessions.
>
> This is a problem when a password is compromised. The user will change
> their password and be confident that the problem is solved. However,
> if the compromised password has already been used to log in on another
> browser session there are no changes to that session.
>
> I understand that this could be seen as a responsibility for the
> developer building the Django application. However, as far as I know
> Django doesn't come with an out-of-the-box 'log out everything'
> option. It does come with a change password feature. But with the
> current implementation this feature is near-useless when the password
> has already been used to log in by a malicious user.
>
> With a default installation, it will not be possible to easily log out
> your other sessions. I'm proposing that by default, Django Auth (Or at
> least the admin system.) should log out all sessions, except the one
> the user is currently changing the password in.
>
> Thoughts?
>
> Arnoud
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> For more options, visit this group at
> http://groups.google.com/group/django-developers?hl=en.
>
>
Karthik Abinav,
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
