Project

General

Profile

Actions

Defect #35417

closed

User sessions not reset after 2FA activation

Added by Holger Just over 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Accounts / authentication
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Felix Schäfer reports via email to

Hello,

Currently a user signed up on multiple browsers/machines can activate 2FA in one session but still continue using the other sessions. This presents a security risk if an attacker has or gets control of one of those other sessions.

The attached patch resets all the session, autologin and recovery keys of a user when 2FA is set up. Maybe a warning could also be added to the 2FA set up screen about this so that users with multiple active sessions are not surprised about getting logged out from the other sessions.

Thank you,

Felix Schäfer


Files

2fa-session-reset.patch (1.24 KB) 2fa-session-reset.patch Holger Just, 2021-06-14 11:18
test_for_35417.patch (1.18 KB) test_for_35417.patch Marius BĂLTEANU, 2021-07-27 23:15

Related issues

Related to Redmine - Feature #1237: Add support for two-factor authenticationClosedGo MAEDA2008-05-14

Actions
Actions

Also available in: Atom PDF