summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2016-08-03 15:16:43 -0400
committerTim Graham <timograham@gmail.com>2016-08-11 12:08:50 -0400
commit4c2a6fe75bad592972eafc79debc35bf944f38f7 (patch)
treefd57087a2b00e1b80d07ab9ff55ff9255eda871f
parent6b83f61e72637326605614d8a8e9e0077040d994 (diff)
Clarified session verification with respect to the current session.
-rw-r--r--docs/topics/auth/default.txt16
1 files changed, 11 insertions, 5 deletions
diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt
index 7f92c12966..6735c261df 100644
--- a/docs/topics/auth/default.txt
+++ b/docs/topics/auth/default.txt
@@ -810,6 +810,8 @@ user to the login page or issue an HTTP 403 Forbidden response.
redirects the user to the ``login_url``, optionally including the
``redirect_field_name`` if it is set.
+.. currentmodule:: django.contrib.auth
+
.. _session-invalidation-on-password-change:
Session invalidation on password change
@@ -829,16 +831,20 @@ If your :setting:`AUTH_USER_MODEL` inherits from
:meth:`~django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash()`
method, authenticated sessions will include the hash returned by this function.
In the :class:`~django.contrib.auth.models.AbstractBaseUser` case, this is an
-HMAC of the password field. Django verifies that the hash sent along with each
-request matches the one that's computed server-side. This allows a user to log
-out all of their sessions by changing their password.
+HMAC of the password field. Django verifies that the hash in the session for
+each request matches the one that's computed during the request. This allows a
+user to log out all of their sessions by changing their password.
The default password change views included with Django,
-:class:`django.contrib.auth.views.PasswordChangeView` and the
+:class:`~django.contrib.auth.views.PasswordChangeView` and the
``user_change_password`` view in the :mod:`django.contrib.auth` admin, update
the session with the new password hash so that a user changing their own
password won't log themselves out. If you have a custom password change view
-and wish to have similar behavior, use this function:
+and wish to have similar behavior, use the :func:`update_session_auth_hash`
+function. In this case, however, if a user also wants to invalidate the session
+from which they're changing their password (for example, if they believe the
+session cookie on their machine was stolen), then they also need to log out
+that session.
.. function:: update_session_auth_hash(request, user)