search

WordPress / two-factor

Two-Factor Authentication for WordPress.
https://wordpress.org/plugins/two-factor/
GNU General Public License v2.0
705 stars 145 forks source link

Previously created sessions continue being valid after initial 2FA activation #577

Closed dd32 closed 10 months ago

dd32 commented 1 year ago

Is your enhancement related to a problem? Please describe.

When activating 2FA on an account, existing login sessions remain active.

Steps To Reproduce:

  1. Access the same account on example.com in two devices
  2. On device 'A' go to example.com> complete all steps to activate the 2FA system Now the 2FA is activated for this account
  3. Back to device 'B' reload the page The session still active

This is considered to be not-ideal, as users who are setting up 2FA may be doing it in response to a compromised account. This is a low-impact issue however, as changing ones password will invalidate other sessions already, and there's also a Destroy other sessions profile setting. The password changing causing other sessions to expire is a good enough reason to me why enabling 2FA should also invalidate other sessions.

This was reported via HackerOne by Tanvir0x1.

Proposed Solution

When 2FA is enabled for login, existing sessions should be terminated automatically without having to click Destroy other sessions.

Designs

No response

Describe alternatives you've considered

No response

Please confirm that you have searched existing issues in this repository.

Yes