Skip to content
This repository has been archived by the owner on Mar 15, 2024. It is now read-only.

Performing a Takeover and changing the master password as an emergency contact does not log out active sessions. #829

Closed
SergeantConfused opened this issue Feb 14, 2021 · 3 comments
Closed

Performing a Takeover and changing the master password as an emergency contact does not log out active sessions. #829

SergeantConfused opened this issue Feb 14, 2021 · 3 comments
Labels
stale

Comments

@SergeantConfused
Copy link

Describe the Bug

When you take over another Bitwarden account as the emergency contact and change the master password, other sessions remain logged-in.

Steps To Reproduce

  1. Log into your main Bitwarden account in a separate tab/browser.
  2. Create a test Bitwarden account and set this new test account as your emergency contact with Takeover access.
  3. Take over your main Bitwarden account as the emergency contact and change the master password.

Expected Result

To be logged out of the session in the other tab/browser.

Actual Result

You remain logged-in. Browser extensions remain logged-in and display an error.

Screenshots or Videos

image

Environment

  • Operating system: Windows 10 Pro 19042.804.
  • Browser: Firefox 85.0.2.
  • Build Version: 2.18.1.

Additional Context

N/A.
@cscharf
Copy link
Contributor

cscharf commented Feb 16, 2021

Hi @SergeantConfused , this is expected behavior, just as if you changed your own master password, your other active sessions would remain in-tact and able to decrypt the data in local storage in that client's vault, which can be locked and unlocked without trips to the server. The only time that's invalidated is when the access token expires and there's another trip to the server/API. This behavior has also saved many a person's hide when they've lost their MP or changed it w/o realizing and got locked out, but they still had another client logged in they were able to recover and export from before losing everything.

@cscharf cscharf closed this as completed Feb 16, 2021
@cscharf
Copy link
Contributor

cscharf commented Feb 16, 2021

Just got news that I am only halfway correct and mostly wrong...

from SergeantConfused:

When I changed the master password through the Takeover flow, the extensions stayed logged in more than 90 minutes. When I changed the password through the standard change password flow, the same extensions logged out within 1 minute.

@cscharf cscharf reopened this Feb 16, 2021
@bitwarden-bot
Copy link

Hi @SergeantConfused,
We're cleaning up our repositories in preparation for a major reorganization. Issues from last year will be marked as stale and closed after two weeks. If you still need help, comment to let us know and we'll look into it.
Thanks!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cscharf @bitwarden-bot @SergeantConfused @patrick-bitwarden