Resetting password does not invalidate other sessions


(loopback0 - TDWTF) #1

If you’re logged in to multiple browsers, and trigger a password reset from one of them, after you’ve set the new password the other browsers remain logged in.

The better practice is to invalid any sessions established under a set of credentials when those change.

Imagine someone else compromises your account and changes your password, but your session is still active so you don’t know anything’s happened. If the session was invalidated once they changed it, you’d try and log back in and know straight away.

This is also inconsistent from clicking “Log Out” which does invalid the other sessions.


(Jeff Atwood) #2

Yes good point, @sam we should add this to our list for when you are back.


(Sam Saffron) #3

Fixed via:

https://github.com/discourse/discourse/commit/2a3f71a9a1717c420c047dc379d3367858c82391

backported to beta and stable


(Sam Saffron) #4