django user logged out after password change

Question

I am having an issue with Django users changing passwords - I have built a few production sites in Django, just none in about a year (or in 1.8), but I don\'t recall having this

Answer 1

My understanding is being logged out after password change is new in Django 1.7. So you will need to re-auth user in your code as you said.

See Release Notes: https://docs.djangoproject.com/en/1.8/releases/1.7/#django-contrib-auth

Here is the specific note: "The AbstractBaseUser.get_session_auth_hash() method was added and if your AUTH_USER_MODEL inherits from AbstractBaseUser, changing a user’s password now invalidates old sessions if the SessionAuthenticationMiddleware is enabled. See Session invalidation on password change for more details including upgrade considerations when enabling this new middleware."

See Documentation: https://docs.djangoproject.com/en/1.7/topics/auth/default/#session-invalidation-on-password-change

Answer 2

For django 1.9:

from django.contrib.auth import update_session_auth_hash

def password_change(request):
    if request.method == 'POST':
        form = PasswordChangeForm(user=request.user, data=request.POST)
        if form.is_valid():
            form.save()
            update_session_auth_hash(request, form.user)

The following fields must be supplied in the POST request:

• old_password
• new_password1
• new_password2

See detailed docs at https://docs.djangoproject.com/en/1.9/topics/auth/default/#session-invalidation-on-password-change

Answer 3

For Django 1.8

Simply call update_session_auth_hash after set_password like so:

from django.contrib.auth import update_session_auth_hash

request.user.set_password(form.cleaned_data['password'])
update_session_auth_hash(request, request.user)