expiring sessions after password changes
- From:
-
- Date:
- 2011-07-28 @ 06:15
Suppose a user of my app changes her password. I'd like to invalidate
all of that user's sessions cookies, everywhere.
I've thought of two ways to do this:
1. Modify (or hopefully extend) the werkzeug code that signs the
session cookie to incorporate some bits from the user's hashed
password into the key used to sign the cookie, so that when the
password hash changes, the cookie signature is no longer valid.
2. Store a counter in the user's database row that I increment every
time the password changes. Put that counter in the session cookie.
Log the user out if the counter in their cookie does not match the
counter in the db.
#2 seems like the Right Thing, since it would also make it easy to add
a "log me out everywhere else" button if I wanted to.
But this is such a common scenario, I thought I'd ask if Flask has any
built-in support for this, or if anyone has done this and has any
advice. I couldn't find anything in the documentation.
Thanks!
-Mark