View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0007324||OXID eShop (all versions)||4.02. Session handling||public||2022-06-20 10:21||2022-06-20 13:19|
|Target Version||Fixed in Version|
|Summary||0007324: Existing sessions not destroyed on password change|
|Description||One of our customers was made aware, that existing sessions are not destroyed when changing a users password and asked us to report it. If a users account is compromised he changes his password, but to no avail as the session of the unauthorized person remains active without requiring a new login. The customer is aware, that the unauthorized person should not have gotten access to the account in the first place, yet he still thinks it would be a security improvement, if sessions were destroyed upon changing the password.|
|Steps To Reproduce||1. Login to the user account in browser 1 (e.g. Firefox)|
2. Login to the user account in browser 2 (e.g. Chrome)
3. Let's assume, the account was compromised and the session in browser 1 was started by a different person who should not have access. So the owner of the account changes his password either by using the change password or the forgot password feature in browser 2. The user successfully changes his password using any of those 2 methods.
4. The session in browser 1 is not destroyed and remains active, the unauthorized user remains logged in
|Additional Information||Requested solution by the customer:|
Destroy all sessions of a user account and force a new login upon the next request as soon as the password was changed by any of the available methods. Maybe also give the user a possibility, to close all active sessions except his own from the my account page and maybe even list some information about the active sessions (like IP, country, user agent, start time, etc.). Changing the password from the admin backend should also destroy all sessions.
|PHP Version||Not defined|
|Database Version||Not defined|