Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-13095

Setting a new password should delete all sessions?

    Details

      Description

      Let's imagine an attacker get access to your account.
      Once you get back your account you change the password.
      Unfortunatly the attacker used a cookie for automated login.

      Now he can still use the auto-login to abuse your account, although he does not have the new password.

      Of course a user could manually delete the auto login keys and an admin can manually delete all sessions, but I think we should do that automatically when the password is changed.

        Attachments

          Activity

            People

            • Assignee:
              Elsensee Oliver Schramm
              Reporter:
              nickvergessen Joas Schilling [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: