summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.11.txt8
1 files changed, 8 insertions, 0 deletions
diff --git a/docs/releases/1.11.txt b/docs/releases/1.11.txt
index 9bb9a2e903..c8f3e92f21 100644
--- a/docs/releases/1.11.txt
+++ b/docs/releases/1.11.txt
@@ -116,6 +116,14 @@ Minor features
:class:`~django.contrib.auth.views.PasswordResetConfirmView` allows
automatically logging in a user after a successful password reset.
+* To avoid the possibility of leaking a password reset token via the HTTP
+ Referer header (for example, if the reset page includes a reference to CSS or
+ JavaScript hosted on another domain), the
+ :class:`~django.contrib.auth.views.PasswordResetConfirmView` (but not the
+ deprecated ``password_reset_confirm()`` function-based view) stores the token
+ in a session and redirects to itself to present the password change form to
+ the user without the token in the URL.
+
* :func:`~django.contrib.auth.update_session_auth_hash` now rotates the session
key to allow a password change to invalidate stolen session cookies.