Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-13095

Setting a new password should delete all sessions?

    XMLWordPrintable

    Details

      Description

      Let's imagine an attacker get access to your account.
      Once you get back your account you change the password.
      Unfortunatly the attacker used a cookie for automated login.

      Now he can still use the auto-login to abuse your account, although he does not have the new password.

      Of course a user could manually delete the auto login keys and an admin can manually delete all sessions, but I think we should do that automatically when the password is changed.

        Attachments

          Activity

            People

            Assignee:
            Elsensee Oliver Schramm
            Reporter:
            nickvergessen Joas Schilling [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: