[PHPBB3-13095] Setting a new password should delete all sessions?

XML

Word

Printable

Details

Type: Improvement
Status: Closed (View Workflow)
Priority: Major
Resolution: Invalid
Affects Version/s: 3.0.12, 3.1.0-RC4
Fix Version/s: 3.1.5-RC1
Component/s: Sessions, User Control Panel (UCP)
Labels:
None

Description

Let's imagine an attacker get access to your account.
Once you get back your account you change the password.
Unfortunatly the attacker used a cookie for automated login.

Now he can still use the auto-login to abuse your account, although he does not have the new password.

Of course a user could manually delete the auto login keys and an admin can manually delete all sessions, but I think we should do that automatically when the password is changed.

Attachments

Activity

People

Assignee:: Oliver Schramm [X] (Inactive)

Reporter:: Joas Schilling

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 23/Sep/14 11:21 AM

Updated:: 02/May/15 7:29 PM

Resolved:: 02/May/15 7:29 PM