I've recently discovered this issue with my django based application. When a users changes its password, its active sessions are not destroyed. I mean, if a user is logged in two different places (or in two different browsers) and changes its password on one place, the other session will still be active.
I think this is an issue. If a user thinks his password has been stolen, he'll naturally change his password in the hope that this action will revoke the robber's undue access to his account. It's kinda "expected" that after a password change, everyone with your old password will not be allowed to login. But as far as I can tell, this has been the default behaviour for a long time and no one ever bothered. So, am I missing something? Maybe my specific setup (I changed my auth backend a little bit) is problematic? - D -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
