Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-13095

Setting a new password should delete all sessions?

    XMLWordPrintable

Details

    Description

      Let's imagine an attacker get access to your account.
      Once you get back your account you change the password.
      Unfortunatly the attacker used a cookie for automated login.

      Now he can still use the auto-login to abuse your account, although he does not have the new password.

      Of course a user could manually delete the auto login keys and an admin can manually delete all sessions, but I think we should do that automatically when the password is changed.

      Attachments

        Activity

          People

            Elsensee Oliver Schramm [X] (Inactive)
            nickvergessen Joas Schilling [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: