When changing a user's password, all existing sessions for this user should be destroyed #10177
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
duplicate
For issues that already existed in our issue tracker and were reported previously.
This improvement was reported and suggested by Abhishek Abhishek:
Proof of Concept
Suppose, you have an account on Piwik
Somehow an attacker manage to get your password and logged in your account.. after knowing that your ID has been compromised what you'll do ?
i guess first thing that will popup into your head is, "I should change my password!" and you'll change the password.. maximum users just change his/her password when they recover their ID.
in Piwik, changing the password doesn't destroys the other sessions which are logged in with old passwords.
(Logging in with the new password doesn't invalidate the older sessions either)
As other sessions is not destroyed, attacker will be still logged in your account even after changing password, cause his session is still active.. he'll have complete access on your account till that session expires!
So, your account remains insecure even after the changing of password.
Solution
So there is two way, either you let users to choose if they want to keep active sessions or just destroy every active sessions when users change his/her password!
Related issues
The text was updated successfully, but these errors were encountered: