Page MenuHomePhabricator

Terminate other sessions on credential changes
ClosedPublic

Authored by epriestley on Aug 3 2014, 6:31 PM.
Tags
None
Referenced Files
F14065373: D10135.diff
Tue, Nov 19, 4:25 AM
F14054679: D10135.id24374.diff
Sat, Nov 16, 3:58 AM
F14054676: D10135.id24404.diff
Sat, Nov 16, 3:51 AM
F14052372: D10135.diff
Fri, Nov 15, 8:39 AM
F14039141: D10135.diff
Mon, Nov 11, 4:02 AM
F14024067: D10135.diff
Thu, Nov 7, 5:34 AM
F14017668: D10135.id24404.diff
Mon, Nov 4, 9:00 PM
F13988081: D10135.id24404.diff
Mon, Oct 21, 1:02 PM
Subscribers

Details

Summary

Fixes T5509. Currently, existing sessions live on even if you change your password.

Over the course of the program, we've recieved a lot of HackerOne reports that sessions do not terminate when users change their passwords. I hold that this isn't a security vulnerability: users can explicitly manage sessions, and this is more general and more powerful than tying session termination to password resets. In particular, many installs do not use a password provider at all (and no researcher has reported this in a general, application-aware way that discusses multiple authentication providers).

That said, dealing with these false positives is vaguely time consuming, and the "expected" behavior isn't bad for users, so just align behavior with researcher expectations: when passwords are changed, providers are removed, or multi-factor authentication is added to an account, terminate all other active login sessions.

Test Plan
  • Using two browsers, established multiple login sessions.
  • In one browser, changed account password. Saw session terminate and logout in the second browser.
  • In one browser, removed an authentication provider. Saw session terminate and logout in the second browser.
  • In one browser, added MFA. Saw session terminate and logout in the second browser.

Diff Detail

Repository
rP Phabricator
Branch
token3
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 2019
Build 2020: [Placeholder Plan] Wait for 30 Seconds

Event Timeline

epriestley retitled this revision from to Terminate other sessions on credential changes.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
btrahan edited edge metadata.
This revision is now accepted and ready to land.Aug 4 2014, 6:53 PM
epriestley updated this revision to Diff 24404.

Closed by commit rP95eeffff7e5d (authored by @epriestley).