Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User sessions should expire upon password change #328

Closed
jholdstock opened this issue Apr 10, 2019 · 1 comment · Fixed by #410
Closed

User sessions should expire upon password change #328

jholdstock opened this issue Apr 10, 2019 · 1 comment · Fixed by #410

Comments

@jholdstock
Copy link
Member

@jholdstock jholdstock commented Apr 10, 2019

When a user changes their password (either via password link, or change password form) their current sessions don't expire.

Steps To Reproduce:

  1. Login at https://teststakepool.decred.org
  2. Open an incognito Window in your browser or from any other computer open https://teststakepool.decred.org and open the URL /passwordreset and enter the email your used to login in Step 1.
  3. Now on the same incognito window or the same computer use the reset password link and change your password.
  4. Now return to the windows you used in Step 1 and you will see that your session is still active and you can perform actions.

It can also be recreated using the normal change password form

This vulnerability has been reported through the Bug bounty program

@jholdstock
Copy link
Member Author

@jholdstock jholdstock commented Jul 4, 2019

Similar issue on Politeia decred/politeia#647

Reading around the topic: gorilla/sessions#60

@dajohi dajohi closed this in #410 Jul 25, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

1 participant