Project

General

Profile

Actions

Patch #17717

closed

Password/Email address change should invalidate security tokens

Added by Jan from Planio www.plan.io over 10 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Normal
Category:
Security
Target version:
Start date:
Due date:
% Done:

90%

Estimated time:

Description

To improve user account security, we believe it is a good practice to:

  1. invalidate the password reset token (sent via email) once an account's email address is changed.
    (This prevents hackers who may be able to change a user's address (or trick him into doing it) to use an "old" password reset link previously sent via email once the email address has been changed back by the user.)
  2. invalidate the password reset token and autologin token once an account's password is changed.
    (This prevents hackers from being still able to login after a user has potentially discovered a breach into his/her account and changed their password.)

The attached patch against current Redmine trunk implements this; tests included.


Files

Actions

Also available in: Atom PDF