Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When changing a user's password, all existing sessions for this user should be destroyed #10177

Closed
mattab opened this issue May 23, 2016 · 1 comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. duplicate For issues that already existed in our issue tracker and were reported previously.

Comments

@mattab
Copy link
Member

mattab commented May 23, 2016

This improvement was reported and suggested by Abhishek Abhishek:

Proof of Concept

Suppose, you have an account on Piwik

Somehow an attacker manage to get your password and logged in your account.. after knowing that your ID has been compromised what you'll do ?
i guess first thing that will popup into your head is, "I should change my password!" and you'll change the password.. maximum users just change his/her password when they recover their ID.
in Piwik, changing the password doesn't destroys the other sessions which are logged in with old passwords.
(Logging in with the new password doesn't invalidate the older sessions either)
As other sessions is not destroyed, attacker will be still logged in your account even after changing password, cause his session is still active.. he'll have complete access on your account till that session expires!
So, your account remains insecure even after the changing of password.

Solution

When someone change his/her password, each and every active sessions that belongs to that particular account must be destroyed!

I would recommend you to follow Facebook on this security issue.. They fixed this issue few months back by adding a process that asks users whether user want to close all open sessions or not right after changing password.

So there is two way, either you let users to choose if they want to keep active sessions or just destroy every active sessions when users change his/her password!

Related issues

@mattab mattab added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label May 23, 2016
@mattab mattab added this to the Mid term milestone May 23, 2016
@mattab mattab modified the milestones: 3.1.0, Backlog (Help wanted) Jun 24, 2017
@mattab mattab added the duplicate For issues that already existed in our issue tracker and were reported previously. label Aug 24, 2017
@mattab
Copy link
Member Author

mattab commented Aug 24, 2017

duplicates #6531

@mattab mattab closed this as completed Aug 24, 2017
@mattab mattab removed this from the 3.2.0 milestone Sep 14, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. duplicate For issues that already existed in our issue tracker and were reported previously.
Projects
None yet
Development

No branches or pull requests

1 participant