What steps will reproduce the problem?
1. Login as user Admin to gitblit on Firefox
2. Login as user Admin to gitblit on Chrome and change password for Admin user
3. You still have full access under the cookies on Firefox even though password has
What is the expected output? What do you see instead?
Users whose passwords have changed can still connect and make changes to their own
account if they have not logged out or deleted their cookies.
What version of the product are you using? On what operating system?
Current Release 1.3.2 on Windows Server 2012 and CentOS 6.4
Please provide any additional information below.
If an admin user leaves an organization but if he had accessed the gitblit server through
his browser at home he will still be able to access gitblit even after his password
has been changed and will have the ability to change back the admin password and create
havoc on the server.
Reported by email@example.com on 2014-01-22 06:45:27
The text was updated successfully, but these errors were encountered:
You are right. The cookie has not been invalidated but it should be. I'll get that
The session is a little more complex. I don't think I can invalidate another user's
session directly. I've been planning on introducing a "disabled" flag for an account
so the user data is retained, but authentications would fail. I think that would help
here as I already refresh the UserModel in the session on each request to check for
new/removed repo permissions. It wouldn't be hard to check for the disabled flag at
the same time.
Fix has been implemented and merged to master. Sessions are checked on each page request
for cookie changes so it should immediately invalidate the user session. Additionally,
I have set all newly generated cookies to expire 7 days after generation.