Resetting password does not invalidate other sessions

If you’re logged in to multiple browsers, and trigger a password reset from one of them, after you’ve set the new password the other browsers remain logged in.

The better practice is to invalid any sessions established under a set of credentials when those change.

Imagine someone else compromises your account and changes your password, but your session is still active so you don’t know anything’s happened. If the session was invalidated once they changed it, you’d try and log back in and know straight away.

This is also inconsistent from clicking “Log Out” which does invalid the other sessions.

8 Likes

Yes good point, @sam we should add this to our list for when you are back.

3 Likes

Fixed via:

https://github.com/discourse/discourse/commit/2a3f71a9a1717c420c047dc379d3367858c82391

backported to beta and stable

3 Likes