Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Old sessions are not deleted when account is deleted #1492

Closed
mlissner opened this issue Dec 2, 2020 · 3 comments · Fixed by #1493
Closed

Old sessions are not deleted when account is deleted #1492

mlissner opened this issue Dec 2, 2020 · 3 comments · Fixed by #1493
Assignees
Labels

Comments

@mlissner
Copy link
Member

mlissner commented Dec 2, 2020

We let people delete their accounts, but we don't nuke their active sessions when they do so. We should do that. If we don't, there's no way for a user to nuke those sessions.

@mlissner mlissner self-assigned this Dec 2, 2020
@mlissner
Copy link
Member Author

mlissner commented Dec 2, 2020

OK, first things first. I guess I don't care of a session is still active after an account is deleted. If that's the case, it's not like you can do anything. The data for the account is nuked, and if you try to create more data by creating a favorite or something, it'll surely explode.

What I do think is worth investigating is how to nuke sessions during a password change.

@mlissner
Copy link
Member Author

mlissner commented Dec 2, 2020

Actually, it looks like sessions are invalidated with password changes: https://docs.djangoproject.com/en/1.11/topics/auth/default/#session-invalidation-on-password-change. I think I'm done here.

@mlissner
Copy link
Member Author

mlissner commented Dec 3, 2020

On second thought, changing your password only invalidates sessions if you do it via one of the password change forms. If you do it via the change password method, as we do, you have to explicitly nuke other sessions (there's a command for this, as above). So....I implemented that in #1493.

@mlissner mlissner reopened this Dec 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant