Closed sudheendra17 closed 2 years ago
We do send audit emails to let the user know that their password has been changed; but if you want to revoke existing sessions too then you can do so here:
with something like:
delete from app_private.sessions
where user_id = v_user.id
and sessions.uuid <> app_public.current_session_id();
This issue is regarding invalidating a session after a password change
Steps to reproduce:
1) Go to https://graphile-starter.herokuapp.com 2)Create an account or login 3)Open another incognito tab and request a password change for the same account 4)Change the password for the account in the incognito tab 5)You can observe that the account in the original tab does not get logged out and is still active
IMPACT:
This issue can sometimes lead to an account takeover since the user is not aware of his password change. As a best practise it is always advised to invalidate the existing sessions after the password change.