Django Password Session

A reusable Django app that will invalidate all active sessions after change password.

Since Django 1.7 this feature implemented out of the box.

Installation

1. Install a package.

$ pip install django-password-session

2. Add "password_session" to your INSTALLED_APPS setting:

INSTALLED_APPS = (
    ...
    'password_session',
)

3. Add middleware:

MIDDLEWARE_CLASSES = (
    ...
    'password_session.middleware.CheckPasswordHash',
),

4. Make sure that you have the following settings:

INSTALLED_APPS = (
    ...
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
)

AUTHENTICATION_BACKENDS = (
    ...
    'django.contrib.auth.backends.ModelBackend',
)

MIDDLEWARE_CLASSES = (
    ...
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
)

5. To avoid logging out a user from a current session you should update the session by calling the following function directly after change a password:

from password_session import update_session_auth_hash
update_session_auth_hash(request, user)

Example view

It's a very simple view for change password just for demonstrating how to update a current session.

from django.contrib.auth.decorators import login_required
from django.http import HttpResponse

from password_session import update_session_auth_hash


def change_password_view(request):
    user = request.user
    user.set_password(request.POST.get('password'))
    user.save()
    update_session_auth_hash(request, user)
    return HttpResponse("Hello, %s! Your password has been changed!" % user.username)

Requirements

• Python 2.6+ or 3+
• Django>=1.3,<1.7