Reputation: 5793
Django password change
Why does the following code result in my user being logged out when they enter a new, valid password?
@login_required
def change_password(request):
pass_form = PasswordChangeForm(user=request.user)
if request.method == 'POST':
pass_form = PasswordChangeForm(user=request.user, data=request.POST)
if pass_form.is_valid():
pass_form.save()
return render(request,'coursework/profile.html',
{'pass_form' : pass_form,
'pass_msg' : 'Password Updated'})
return render(request, 'coursework/new_password_form.html',
{'form': pass_form})
Upvotes: 2
Views: 207
Answers (2)
Reputation: 308769
Django invalidates sessions when the password is changed. You need to call update_session_auth_hash to prevent this.
Note that you don't have to write your own change_password method. Django comes with a password_change method, which takes care of updating the session for you.
Upvotes: 2
Reputation: 4382
It's a security measure implemented by Django, and it is enabled in the default configuration – as soon as a user changes their password, all existing sessions are invalidated. See https://docs.djangoproject.com/en/1.9/topics/auth/default/#session-invalidation-on-password-change
You need to add the following to your view after pass_form.save() in order to keep the current session valid:
update_session_auth_hash(request, pass_form.user)
Upvotes: 3
Related Questions
- How do I clone a list so that it doesn't change unexpectedly after assignment?
- Change column type in pandas
- How do I change the size of figures drawn with Matplotlib?
- What is the difference between null=True and blank=True in Django?
- How to change the order of DataFrame columns?
- How to reset Django admin password?
- Django forms User form not summited
- How do I do a not equal in Django queryset filtering?
- Django redirects to login page even after logging in