** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1328705
Title: Other active sessions should be destroyed after changing password Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.10 series: Fix Committed Status in Mahara 1.7 series: Fix Released Status in Mahara 1.8 series: Fix Released Status in Mahara 1.9 series: Fix Released Bug description: Reported by FaisaL Ahmed, http://www.faisalahmed.me/ In Mahara, changing the password doesn't destroys the other sessions which are logged in with old passwords. As other sessions is not destroyed, attacker may be still logged in your account even after changing password, as his session is still active.. he'll have complete access on your account till that session expires! So, your account remains insecure even after the changing of password. We have 2 options to solve 1. Delete all active sessions right after an user changes his/her password 2. Facebook solved this issue by adding a process that asks users whether user want to close all open sessions or not right after changing password. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1328705/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
