Skip to content

Update session data when updating the password with UpdateUser

https://redmine.teklia.com/issues/7318

To allow users to disconnect automatically from all sessions when changing their password, Django includes a hash of the user's password in the session data. The default views that Django provides to change the password support this and will update the session accordingly, so that only the current session stays logged in, but we do not support this in UpdateUser or PartialUpdateUser. Those endpoints should call django.contrib.auth.update_session_auth_hash() when, and only when, the password field has been successfully updated.

Docs: https://docs.djangoproject.com/en/4.2/topics/auth/default/#session-invalidation-on-password-change