Page MenuHomePhabricator
Differential D10135

Terminate other sessions on credential changes
ClosedPublic
Actions

Authored by epriestley on Aug 3 2014, 6:31 PM.
Tags
None
Referenced Files
F14065373: D10135.diff
Tue, Nov 19, 4:25 AM
F14054679: D10135.id24374.diff
Sat, Nov 16, 3:58 AM
F14054676: D10135.id24404.diff
Sat, Nov 16, 3:51 AM
F14052372: D10135.diff
Fri, Nov 15, 8:39 AM
F14039141: D10135.diff
Mon, Nov 11, 4:02 AM
F14024067: D10135.diff
Thu, Nov 7, 5:34 AM
F14017668: D10135.id24404.diff
Mon, Nov 4, 9:00 PM
F13988081: D10135.id24404.diff
Mon, Oct 21, 1:02 PM
View All Files
Subscribers
epriestley

Details

Reviewers
btrahan
Maniphest Tasks
T5509: Prompt users to terminate active sessions after changing passwords
Commits
Restricted Diffusion Commit
rP95eeffff7e5d: Terminate other sessions on credential changes
Summary

Fixes T5509. Currently, existing sessions live on even if you change your password.

Over the course of the program, we've recieved a lot of HackerOne reports that sessions do not terminate when users change their passwords. I hold that this isn't a security vulnerability: users can explicitly manage sessions, and this is more general and more powerful than tying session termination to password resets. In particular, many installs do not use a password provider at all (and no researcher has reported this in a general, application-aware way that discusses multiple authentication providers).

That said, dealing with these false positives is vaguely time consuming, and the "expected" behavior isn't bad for users, so just align behavior with researcher expectations: when passwords are changed, providers are removed, or multi-factor authentication is added to an account, terminate all other active login sessions.

Test Plan
  • Using two browsers, established multiple login sessions.
  • In one browser, changed account password. Saw session terminate and logout in the second browser.
  • In one browser, removed an authentication provider. Saw session terminate and logout in the second browser.
  • In one browser, added MFA. Saw session terminate and logout in the second browser.

Diff Detail

Repository
rP Phabricator
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

epriestley updated this revision to Diff 24374.Aug 3 2014, 6:31 PM
epriestley retitled this revision from to Terminate other sessions on credential changes.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
epriestley added a task: T5509: Prompt users to terminate active sessions after changing passwords.
Herald added a subscriber: epriestley. · View Herald TranscriptAug 3 2014, 6:31 PM
Harbormaster completed remote builds in B2019: Diff 24374.Aug 3 2014, 6:32 PM
btrahan accepted this revision.Aug 4 2014, 6:53 PM
btrahan edited edge metadata.
This revision is now accepted and ready to land.Aug 4 2014, 6:53 PM
epriestley closed this revision.Aug 4 2014, 7:04 PM
epriestley updated this revision to Diff 24404.

Closed by commit rP95eeffff7e5d (authored by @epriestley).

Revision Contents
Changeset List

Diff 24404

View Options

src/applications/auth/controller/PhabricatorAuthUnlinkController.php

Loading...
View Options

src/applications/auth/engine/PhabricatorAuthSessionEngine.php

Loading...
View Options

src/applications/settings/panel/PhabricatorSettingsPanelMultiFactor.php

Loading...
View Options

src/applications/settings/panel/PhabricatorSettingsPanelPassword.php

Loading...
Phabricator · Built by Phacility