Bug: Session doesn't invalidate when password is changed

diced / zipline

A ShareX/file upload server that is easy to use, packed with features, and with an easy setup!

https://zipline.diced.sh/

MIT License

1.31k stars 128 forks source link

Bug: Session doesn't invalidate when password is changed #552

Open wdhdev opened 4 months ago

wdhdev commented 4 months ago

What happened?

When you change your Zipline account password, existing sessions do not get invalidated, and they stay signed in. This can be a security risk if your account got hacked.

Version

latest (ghcr.io/diced/zipline or ghcr.io/diced/zipline:latest)

What browser(s) are you seeing the problem on?

Firefox, Chromium-based (Chrome, Edge, Brave, Opera, mobile chrome/chromium based, etc)

Zipline Logs

No response

Browser Logs

No response

Additional Info

No response

diced commented 4 months ago

hm, this seems like a big issue.. I think it might be fixed in v4 but for the most part I probably wont add a fix for this in v3 (i guess try to not let other people use your account 😅)

wdhdev commented 4 months ago

Sounds good. Also, I probably should've reported this using the security advisories feature but I didn't see that before, my bad.