Other active sessions should be destroyed after changing password
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Medium
|
Son Nguyen | ||
1.10 |
Fix Released
|
Medium
|
Son Nguyen | ||
1.7 |
Fix Released
|
Medium
|
Unassigned | ||
1.8 |
Fix Released
|
Medium
|
Unassigned | ||
1.9 |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Reported by FaisaL Ahmed, http://
In Mahara, changing the password doesn't destroys the other sessions which are
logged in with old passwords.
As other sessions is not destroyed, attacker may be still logged in your
account even after changing password, as his session is still
active.. he'll have complete access on your account till that session
expires!
So, your account remains insecure even after the changing of password.
We have 2 options to solve
1. Delete all active sessions right after an user changes his/her password
2. Facebook solved this issue by adding a process that asks
users whether user want to close all open sessions or not right after
changing password.
information type: | Public → Public Security |
information type: | Public Security → Private Security |
tags: |
added: security removed: session |
description: | updated |
information type: | Private Security → Public Security |
Changed in mahara: | |
milestone: | 1.10.0 → none |
status: | Fix Committed → Fix Released |
We should just delete all the users' other sessions, no need to ask them about it. Mahara doesn't have a "remember me" option like Facebook, so most of the time when you open your browser and navigate to a Mahara site you have to enter your password again anyway.