#8140 After password change, change current session id

v1.6.0
closed
security (30)
General
nobody
2016-12-13
2016-12-12
No

Password changes invalidate all other sessions, but we should also cycle the current session's id. This will protect against the possibility of someone intercepting session cookies and then you change your password on the current session, so their copy of the cookies will no longer work.

Discussion

  • Dave Brondsema

    Dave Brondsema - 2016-12-12
    • status: in-progress --> review
     
  • Kenton Taylor

    Kenton Taylor - 2016-12-13

    Good fix, db/8140 is clear to merge.

     
  • Dave Brondsema

    Dave Brondsema - 2016-12-13
    • status: review --> closed
     
  • Dave Brondsema

    Dave Brondsema - 2016-12-14
    • Milestone: unreleased --> v1.6.0
     

Log in to post a comment.