Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User sessions should expire upon password change #328

Closed
jholdstock opened this issue Apr 10, 2019 · 1 comment

Comments

@jholdstock
Copy link
Member

commented Apr 10, 2019

When a user changes their password (either via password link, or change password form) their current sessions don't expire.

Steps To Reproduce:

  1. Login at https://teststakepool.decred.org
  2. Open an incognito Window in your browser or from any other computer open https://teststakepool.decred.org and open the URL /passwordreset and enter the email your used to login in Step 1.
  3. Now on the same incognito window or the same computer use the reset password link and change your password.
  4. Now return to the windows you used in Step 1 and you will see that your session is still active and you can perform actions.

It can also be recreated using the normal change password form

This vulnerability has been reported through the Bug bounty program

@jholdstock

This comment has been minimized.

Copy link
Member Author

commented Jul 4, 2019

Similar issue on Politeia decred/politeia#647

Reading around the topic: gorilla/sessions#60

@dajohi dajohi closed this in #410 Jul 25, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.