Apache Allura™

Forge software for hosting software projects

Brought to you by: alexluberg, brondsem, deshani, dill0wn, and 10 others

#8140 After password change, change current session id

Milestone: v1.6.0

Status: closed

Owner: Dave Brondsema

Labels: security (34)

Component: General

Reviewer: nobody

Updated: 2016-12-13

Created: 2016-12-12

Creator: Dave Brondsema

Private: No

Password changes invalidate all other sessions, but we should also cycle the current session's id. This will protect against the possibility of someone intercepting session cookies and then you change your password on the current session, so their copy of the cookies will no longer work.

Discussion

Dave Brondsema - 2016-12-12

status: in-progress --> review
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Kenton Taylor - 2016-12-13

Good fix, db/8140 is clear to merge.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2016-12-13

status: review --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2016-12-14

Milestone: unreleased --> v1.6.0
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Apache Allura™

Forge software for hosting software projects

Milestone

Searches

Help

#8140 After password change, change current session id

Discussion