-
Type:
Improvement
-
Status: Closed (View Workflow)
-
Priority:
Major
-
Resolution: Invalid
-
Affects Version/s: 3.0.12, 3.1.0-RC4
-
Fix Version/s: 3.1.5-RC1
-
Component/s: Sessions, User Control Panel (UCP)
-
Labels:None
Let's imagine an attacker get access to your account.
Once you get back your account you change the password.
Unfortunatly the attacker used a cookie for automated login.
Now he can still use the auto-login to abuse your account, although he does not have the new password.
Of course a user could manually delete the auto login keys and an admin can manually delete all sessions, but I think we should do that automatically when the password is changed.