Fixed #27009 -- Made update_session_auth_hash() rotate the session key.

2025-11-07 07:15:35 +00:00 · 2016-08-15 19:29:12 -04:00
parent 937d752d3d
commit 7549eb0004
4 changed files with 16 additions and 5 deletions
--- a/docs/releases/1.11.txt
+++ b/docs/releases/1.11.txt
@@ -84,6 +84,9 @@ Minor features
  :class:`~django.contrib.auth.views.PasswordResetConfirmView` allows
  automatically logging in a user after a successful password reset.

+* :func:`~django.contrib.auth.update_session_auth_hash` now rotates the session
+  key to allow a password change to invalidate stolen session cookies.
+
 :mod:`django.contrib.contenttypes`
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~