-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Password reset link should expire automatically after passowrd changed #650
Comments
No.It's also a unique bug. |
lukebp
added a commit
to lukebp/politeia
that referenced
this issue
Feb 9, 2020
This diff moves user sessions from a session store backed by the filesystem to a session store backed by the userdb. It implements a custom sessions store that satisfies the gorrilla/sessions Store interface. Moving the session store to the userdb accomplishes a few things: 1. Allows us to manually invalidate sessions. An example being when a user changes their password we can invalidate their sessions on all other devices. This was not previously possible with the filesystem store implementation. 2. Removes one of the blocking issues that is preventing us from running multiple politeiawww instances. This diff does not fix issues decred#647 or decred#650. It is a prerequisite for fixing those issues, but those issues will be fixed in the next PR.
lukebp
added a commit
that referenced
this issue
Feb 13, 2020
This diff moves user sessions from a session store backed by the filesystem to a session store backed by the userdb. It implements a custom sessions store that satisfies the gorrilla/sessions Store interface. Moving the session store to the userdb accomplishes a few things: 1. Allows us to manually invalidate sessions. An example being when a user changes their password we can invalidate their sessions on all other devices. This was not previously possible with the filesystem store implementation. 2. Removes one of the blocking issues that is preventing us from running multiple politeiawww instances. This diff does not fix issues #647 or #650. It is a prerequisite for fixing those issues, but those issues will be fixed in the next PR. Co-authored-by: Muharem Hrnjadovic <muharem@linux.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary:
When a user request a reset password.Then he can remember his password.So he doesn't use password reset link he kept it.Now he changed his password. Now he is safe because he changed password. So hacker/attacker can't use this password because password already changed but in your case they are able to use this after password change.
POC:
1.request for reset passwrod.
then login with your credintial
Change your password. changed password :
then go your kept password reset link used it and gain access.
Video POC == >> https://streamable.com/n12ka
solution :
password reset link should expire automatically after changing password.
Thanks
The text was updated successfully, but these errors were encountered: