Use Django's own logic to invalidate sessions of users when changing passwords

The key is django.contrib.auth.update_session_auth_hash(), which knows how to inject a recalculated session hash back into the session if the requesting user is changing their own password, in order to keep that user logged in.
2026-02-19 20:20:06 -03:30 · 2019-03-26 17:22:16 -04:00
parent 2129f12085
commit f2be4de544
5 changed files with 22 additions and 19 deletions
--- a/awx/main/middleware.py
+++ b/awx/main/middleware.py
@@ -127,8 +127,8 @@ class SessionTimeoutMiddleware(object):

    def process_response(self, request, response):
        should_skip = 'HTTP_X_WS_SESSION_QUIET' in request.META
-        req_session = getattr(request, 'session', None)
-        if req_session and not req_session.is_empty() and should_skip is False:
+        # Only update the session if it hasn't been flushed by being forced to log out.
+        if request.session and not request.session.is_empty() and not should_skip:
            expiry = int(settings.SESSION_COOKIE_AGE)
            request.session.set_expiry(expiry)
            response['Session-Timeout'] = expiry