Other active sessions should be destroyed after changing password

Bug #1328705 reported by Son Nguyen on 2014-06-10
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Medium
Son Nguyen
1.10
Medium
Son Nguyen
1.7
Medium
Unassigned
1.8
Medium
Unassigned
1.9
Medium
Unassigned

Bug Description

Reported by FaisaL Ahmed, http://www.faisalahmed.me/

In Mahara, changing the password doesn't destroys the other sessions which are
logged in with old passwords.
As other sessions is not destroyed, attacker may be still logged in your
account even after changing password, as his session is still
active.. he'll have complete access on your account till that session
expires!
So, your account remains insecure even after the changing of password.

We have 2 options to solve
1. Delete all active sessions right after an user changes his/her password
2. Facebook solved this issue by adding a process that asks
users whether user want to close all open sessions or not right after
changing password.

Son Nguyen (ngson2000) on 2014-06-10
information type: Public → Public Security
information type: Public Security → Private Security
tags: added: security
removed: session
Son Nguyen (ngson2000) on 2014-06-10
description: updated
Aaron Wells (u-aaronw) wrote :

We should just delete all the users' other sessions, no need to ask them about it. Mahara doesn't have a "remember me" option like Facebook, so most of the time when you open your browser and navigate to a Mahara site you have to enter your password again anyway.

Changed in mahara:
importance: High → Medium
Aaron Wells (u-aaronw) wrote :

Dropping the priority to medium, because this is not an active vulnerability, but more of a defense-in-depth thing.

Changed in mahara:
milestone: none → 1.10.0
Son Nguyen (ngson2000) wrote :

The user session also need to be destroyed when his/her account is deleted

Robert Lyon (robertl-9) on 2014-08-01
information type: Private Security → Public Security
Aaron Wells (u-aaronw) on 2014-10-21
Changed in mahara:
milestone: 1.10.0 → none
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers