Use Django's own logic to invalidate sessions of users when changing passwords

The key is django.contrib.auth.update_session_auth_hash(), which knows how to inject a recalculated session hash back into the session if the requesting user is changing their own password, in order to keep that user logged in.
2026-06-30 10:58:03 -02:30 · 2019-03-26 17:22:16 -04:00
parent 2129f12085
commit f2be4de544
5 changed files with 22 additions and 19 deletions
--- a/awx/main/management/commands/expire_sessions.py
+++ b/awx/main/management/commands/expire_sessions.py
@@ -29,9 +29,9 @@ class Command(BaseCommand):
        # with consideration for timezones.
        start = timezone.now()
        sessions = Session.objects.filter(expire_date__gte=start).iterator()
-        request = HttpRequest()
        for session in sessions:
            user_id = session.get_decoded().get('_auth_user_id')
            if (user is None) or (user_id and user.id == int(user_id)):
-                request.session = import_module(settings.SESSION_ENGINE).SessionStore(session.session_key)
-                logout(request)
+                session = import_module(settings.SESSION_ENGINE).SessionStore(session.session_key)
+                # Log out the session, but without the need for a request object.
+                session.flush()