View Issue Details

IDProjectCategoryView StatusLast Update
0007324OXID eShop (all versions)4.02. Session handlingpublic2022-06-20 13:19
Status acknowledgedResolutionopen 
Product Version6.4.2 
Target VersionFixed in Version 
Summary0007324: Existing sessions not destroyed on password change
DescriptionOne of our customers was made aware, that existing sessions are not destroyed when changing a users password and asked us to report it. If a users account is compromised he changes his password, but to no avail as the session of the unauthorized person remains active without requiring a new login. The customer is aware, that the unauthorized person should not have gotten access to the account in the first place, yet he still thinks it would be a security improvement, if sessions were destroyed upon changing the password.
Steps To Reproduce1. Login to the user account in browser 1 (e.g. Firefox)
2. Login to the user account in browser 2 (e.g. Chrome)
3. Let's assume, the account was compromised and the session in browser 1 was started by a different person who should not have access. So the owner of the account changes his password either by using the change password or the forgot password feature in browser 2. The user successfully changes his password using any of those 2 methods.
4. The session in browser 1 is not destroyed and remains active, the unauthorized user remains logged in

Additional InformationRequested solution by the customer:
Destroy all sessions of a user account and force a new login upon the next request as soon as the password was changed by any of the available methods. Maybe also give the user a possibility, to close all active sessions except his own from the my account page and maybe even list some information about the active sessions (like IP, country, user agent, start time, etc.). Changing the password from the admin backend should also destroy all sessions.
ThemeNot defined
BrowserNot defined
PHP VersionNot defined
Database VersionNot defined



2022-06-20 13:19

administrator   ~0013824