Skip to content

Fix password change/reset not immediately invalidating other sessions#12928

Merged
Gargron merged 1 commit intomasterfrom
fix-password-change-sessions-reset
Jan 23, 2020
Merged

Fix password change/reset not immediately invalidating other sessions#12928
Gargron merged 1 commit intomasterfrom
fix-password-change-sessions-reset

Conversation

@Gargron
Copy link
Copy Markdown
Member

@Gargron Gargron commented Jan 23, 2020

While making browser requests in the other sessions after a password change or reset does not allow you to be logged in and correctly invalidates the session making the request, sessions have API tokens
associated with them, which can still be used until that session is invalidated.

This is a security issue for accounts that were already compromised some other way because it makes it harder to throw out the hijacker.

@Gargron
Fix password change/reset not immediately invalidating other sessions
9c72d36 
While making browser requests in the other sessions after a password
change or reset does not allow you to be logged in and correctly
invalidates the session making the request, sessions have API tokens
associated with them, which can still be used until that session
is invalidated.

This is a security issue for accounts that were already compromised
some other way because it makes it harder to throw out the hijacker.
@Gargron Gargron added the security Security issues and fixes, vulnerabilities label Jan 23, 2020
@Gargron Gargron merged commit daf7157 into master Jan 23, 2020
@Gargron Gargron deleted the fix-password-change-sessions-reset branch January 23, 2020 23:20
@Gargron Gargron mentioned this pull request Nov 11, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

security Security issues and fixes, vulnerabilities

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Gargron