I'm interested in improving security of my TurboGears 2.2 application so that when user changes his password, it logs him out from all sessions and he must login again. The goal is when user changes password on browser 1, he must relogin on browser 2, too. Experiments show that this is not the case, especially if browser 2 had "remember me" enabled.
It's standard quickstarted app using repoze.who. It seems maybe I need to change AuthTktCookiePlugin, but don't see a way to do it without much rewiring.
Storing a timestamp of the last time password got changed inside request.identity['userdata']
should make possible to check it whenever the user gets back and log him out if it's different from the last time the password got changed for real.