Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password reset link should expire automatically after passowrd changed #650

Closed
lemonkabir opened this issue Dec 22, 2018 · 1 comment · Fixed by #1167
Closed

Password reset link should expire automatically after passowrd changed #650

lemonkabir opened this issue Dec 22, 2018 · 1 comment · Fixed by #1167

Comments

@lemonkabir
Copy link

Summary:
When a user request a reset password.Then he can remember his password.So he doesn't use password reset link he kept it.Now he changed his password. Now he is safe because he changed password. So hacker/attacker can't use this password because password already changed but in your case they are able to use this after password change.

POC:

1.request for reset passwrod.

  1. then login with your credintial

  2. Change your password. changed password :

  3. then go your kept password reset link used it and gain access.

Video POC == >> https://streamable.com/n12ka

solution :
password reset link should expire automatically after changing password.

Thanks
@xaur xaur mentioned this issue Dec 26, 2018
Closed
@lemonkabir
Copy link
Author

No.It's also a unique bug.

lukebp added a commit to lukebp/politeia that referenced this issue Feb 9, 2020
@lukebp
politeiawww: Move sessions to userdb.
594c811 
This diff moves user sessions from a session store backed by the
filesystem to a session store backed by the userdb. It implements a
custom sessions store that satisfies the gorrilla/sessions Store
interface.

Moving the session store to the userdb accomplishes a few things:

1. Allows us to manually invalidate sessions. An example being when a
   user changes their password we can invalidate their sessions on all
   other devices. This was not previously possible with the filesystem
   store implementation.

2. Removes one of the blocking issues that is preventing us from running
   multiple politeiawww instances.

This diff does not fix issues decred#647 or decred#650. It is a prerequisite for
fixing those issues, but those issues will be fixed in the next PR.
@lukebp lukebp mentioned this issue Feb 9, 2020
Merged
lukebp added a commit that referenced this issue Feb 13, 2020
@lukebp @al-maisan
politiawww: Move sessions to userdb.
8361a1d 
This diff moves user sessions from a session store backed by the
filesystem to a session store backed by the userdb. It implements a
custom sessions store that satisfies the gorrilla/sessions Store
interface.

Moving the session store to the userdb accomplishes a few things:

1. Allows us to manually invalidate sessions. An example being when a
   user changes their password we can invalidate their sessions on all
   other devices. This was not previously possible with the filesystem
   store implementation.

2. Removes one of the blocking issues that is preventing us from running
   multiple politeiawww instances.

This diff does not fix issues #647 or #650. It is a prerequisite for
fixing those issues, but those issues will be fixed in the next PR.

Co-authored-by: Muharem Hrnjadovic <muharem@linux.com>
@alexlyp alexlyp mentioned this issue Apr 7, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[www] Reset Password Token/Expiry on password change alexlyp/politeia
2 participants
@lukebp @lemonkabir