mahara-contributors team mailing list archive

Thread
Date

[Bug 1328705] Re: Other active sessions should be destroyed after changing password

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Robert Lyon <robertl@xxxxxxxxxxxxxxx>
Date: Fri, 01 Aug 2014 00:15:26 -0000
Reply-to: Bug 1328705 <1328705@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1328705

Title:
  Other active sessions should be destroyed after changing password

Status in Mahara ePortfolio:
  Fix Committed
Status in Mahara 1.10 series:
  Fix Committed
Status in Mahara 1.7 series:
  Fix Released
Status in Mahara 1.8 series:
  Fix Released
Status in Mahara 1.9 series:
  Fix Released

Bug description:
  Reported by FaisaL Ahmed, http://www.faisalahmed.me/

  In Mahara, changing the password doesn't destroys the other sessions which are
  logged in with old passwords.
  As other sessions is not destroyed, attacker may be still logged in your
  account even after changing password, as his session is still
  active.. he'll have complete access on your account till that session
  expires!
  So, your account remains insecure even after the changing of password.

  We have 2 options to solve
  1.  Delete all active sessions right after an user changes his/her password
  2. Facebook solved this issue by adding a process that asks
  users whether user want to close all open sessions or not right after
  changing password.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1328705/+subscriptions

References

[Bug 1328705] [NEW] Other active sessions should be destroyed after changing password
From: Son Nguyen, 2014-06-10