diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.11.txt | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/docs/releases/1.11.txt b/docs/releases/1.11.txt index 9bb9a2e903..c8f3e92f21 100644 --- a/docs/releases/1.11.txt +++ b/docs/releases/1.11.txt @@ -116,6 +116,14 @@ Minor features :class:`~django.contrib.auth.views.PasswordResetConfirmView` allows automatically logging in a user after a successful password reset. +* To avoid the possibility of leaking a password reset token via the HTTP + Referer header (for example, if the reset page includes a reference to CSS or + JavaScript hosted on another domain), the + :class:`~django.contrib.auth.views.PasswordResetConfirmView` (but not the + deprecated ``password_reset_confirm()`` function-based view) stores the token + in a session and redirects to itself to present the password change form to + the user without the token in the URL. + * :func:`~django.contrib.auth.update_session_auth_hash` now rotates the session key to allow a password change to invalidate stolen session cookies. |
