Closed tinok closed 4 years ago
@magicznyleszek, I don't think we need to log out the current session (despite the issue title). I think the point is to log out other sessions, which will have to happen on the backend. In practice, maybe it will be more practical to log out all sessions, but I think the goal is to deal with this situation:
IMO PR #2264 isn't necessary (sorry!)
@jnm oh, ok - I've closed the PR :)
Just an update on this feature idea - we are hoping to build this by Q4 2019.
@noliveleger, were you uncommenting this SessionAuthenticationMiddleware
in #2460? I thought I saw that change somewhere but can't find it in the diff now.
@jnm I never uncommented it. I removed other Middleware classes.
Changed in Django 1.10: Session verification is enabled and mandatory in Django 1.10 (there’s no way to disable it) regardless of whether or not SessionAuthenticationMiddleware is enabled. In older versions, this protection only applies if django.contrib.auth.middleware.SessionAuthenticationMiddleware is enabled in MIDDLEWARE.
@noliveleger Can this issue be closed now?
@tinok, no, until it's not reviewed.
User story
UX flow
Relevant settings file: https://github.com/kobotoolbox/kpi/blob/7b5a1e708d5436d6d6348eb9066ae223507fc4ef/kobo/settings/base.py#L112-L114
Background
If a user changes their password of the account (while being logged in), anyone logged in with the same account continues being able to use the account.