Patch #17796
Expire all other sessions on password change
| Status: | Closed | Start date: | |||
|---|---|---|---|---|---|
| Priority: | Normal | Due date: | |||
| Assignee: |  Jean-Baptiste Barth | % Done: | 90% | ||
| Category: | Security | ||||
| Target version: | 2.6.0 |
Description
To improve user account security, we believe it is a good practice to expire all other active user sessions (on other computers or browsers) once a user changes their password.
Please find attached a patch that implements this feature against current trunk; tests included.
Associated revisions
Expire other sessions on password change (#17796).
Contributed by Jan Schulz-Hofen.
History
#1
Updated by Jean-Baptiste Barth over 6 years ago
- Assignee set to Jean-Baptiste Barth
Good practice I think. Same as #17717, I'd like to have some guidance about how we deal with that kind of patch. I didn't test this one but I'll review it and test it when I know what to do.
#2
Updated by Jean-Philippe Lang over 6 years ago
We can commit this patch now, but I'd like to change the new column to passwd_changed_on instead of password_changed_at.
#3
Updated by Etienne Massip over 6 years ago
- Project changed from Security to Redmine
- Category set to Security
- Target version set to 2.6.0
#4
Updated by Jean-Baptiste Barth over 6 years ago
- Status changed from Needs feedback to Closed
Added in r13412 with the column name requested by Jean-Philippe, and a minor typo fixed in the test. Thanks!