I haven't tested the issue outside my project. But while debugging, I saw the new hash in the user instance returned by authenticate(), but that new hash never went to the database since I haven't done a 'save()' of the user instance.
If you see the new hash in the database, I think that, maybe the admin, is saving the user instance with the new hash. And doing that, ie: save()'ing the user returned by authenticate() solved the issue for me too (but I don't want to save the user every time he/she logins, just in case the hasher parameters changed). On Wednesday, January 14, 2015 at 10:31:55 PM UTC-3, Tim Graham wrote: > > Hi Horacio, > > Thanks for the report. Unfortunately, I can't reproduce this issue. > > My steps to reproduce using the project from the tutorial: > Bump PBKDF2PasswordHasher.iterations to a higher value > Login at /admin/ > Confirm at /admin/auth/user/#/ that the password of the user I logged in > as reflects the new iteration count. > > Maybe there is something different in your setup? > > On Wednesday, January 14, 2015 at 4:57:13 PM UTC-5, Horacio G. de Oro > wrote: >> >> The problem is because the iterations in PBKDF2PasswordHasher where >> updated to 15000, so it updates the password, but later, >> SessionAuthenticationMiddleware detects a password change and PUF! the >> login doesn't work. >> >> Right new I've created a PBKDF2PasswordHasher implementation with >> iteartions = 12000 (the old value), but I want to report the issue (I don't >> know if this is a bug) in case it happens to anyone else. >> >> Saving the user returned by authenticate() before calling login() solved >> the issue too, but I dont' want to save the user just in case the password >> changed. >> >> Regards! >> Horacio >> >> >> -- >> Horacio G. de Oro >> Email: [email protected] >> Web: http://www.data-tsunami.com >> LinkedIn: https://www.linkedin.com/in/hgdeoro >> >> -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/9ba3af2b-5c7c-495c-8f47-d6b6d8319431%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
