Other active sessions should be destroyed after changing password

Bug #1328705 reported by Son Nguyen
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
Medium
Son Nguyen
1.10
Fix Released
Medium
Son Nguyen
1.7
Fix Released
Medium
Unassigned
1.8
Fix Released
Medium
Unassigned
1.9
Fix Released
Medium
Unassigned

Bug Description

Reported by FaisaL Ahmed, http://www.faisalahmed.me/

In Mahara, changing the password doesn't destroys the other sessions which are
logged in with old passwords.
As other sessions is not destroyed, attacker may be still logged in your
account even after changing password, as his session is still
active.. he'll have complete access on your account till that session
expires!
So, your account remains insecure even after the changing of password.

We have 2 options to solve
1. Delete all active sessions right after an user changes his/her password
2. Facebook solved this issue by adding a process that asks
users whether user want to close all open sessions or not right after
changing password.

Tags: security
Son Nguyen (ngson2000)
information type: Public → Public Security
information type: Public Security → Private Security
tags: added: security
removed: session
Son Nguyen (ngson2000)
description: updated
Revision history for this message
Aaron Wells (u-aaronw) wrote :

We should just delete all the users' other sessions, no need to ask them about it. Mahara doesn't have a "remember me" option like Facebook, so most of the time when you open your browser and navigate to a Mahara site you have to enter your password again anyway.

Changed in mahara:
importance: High → Medium
Revision history for this message
Aaron Wells (u-aaronw) wrote :

Dropping the priority to medium, because this is not an active vulnerability, but more of a defense-in-depth thing.

Changed in mahara:
milestone: none → 1.10.0
Revision history for this message
Son Nguyen (ngson2000) wrote :

The user session also need to be destroyed when his/her account is deleted

Revision history for this message
Son Nguyen (ngson2000) wrote :
Robert Lyon (robertl-9)
information type: Private Security → Public Security
Aaron Wells (u-aaronw)
Changed in mahara:
milestone: 1.10.0 → none
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.