Broken Authentication & session management

[lemonkabir]

Hello there
Author: Turan Al Ayat
Bug details : https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management
Steps to reproduce the bug :
Step 1 : Go to Browser A at and login with your credentials at https://pi-staging.decred.org and login with your credentials.

Step 2 : Similarly, Go to Browser B at and login with your same credentials at https://pi-staging.decred.org and login with your credentials.

Step 3 : Suppose Browser B is an shared computer's browser, and you left your account logged in at that computer. Go to Browser A and change your account
password.

Step 4 : When you change your account password at Browser A , the session at Browser B should expire and the account should automatically logged out.

Step 5 : Go to Browser B , and visit your account page and refresh the page.

You will notice that even after changing the account password at Browser A , the session at Browser B didn't expired which can cause major problems. And also after that i can change user information

{Notes: You can call we notify user's for login but after changing password i am able to make some changes}

Impact :
Authentication and session management includes all aspects of handling user authentication and managing active sessions. Authentication is a critical aspect of this process, but even solid authentication mechanisms can be undermined by flawed credential management functions, including password change, forgot my password, remember my password, account update, and other related functions. Because “walk by” attacks are likely for many web applications, all account management functions should require reauthentication even if the user has a valid session id.

Thanks

[degeri]

This is supposed to be filed under pi. I'll check this and get back .

[degeri]

Hi nice catch. Can you please close this and join us here decred/politeia#647 . Thank you :)

[dajohi]

Closed by decred/politeia#647