I have observed that when we change "password" from one browser in place of session expiration from another browser it just updates the password from another browser and the old session gets updated without being logged out.
Steps to reproduce:
1- Login from two browsers at a time [From Chrome browser and from Mozilla Firefox].
2- Change password in settings from chrome browser.
3- Now Check Mozilla Firefox.
4- Your Session got "updated" in place of expiration.
Impact:
If some account is logged in some browser it will not be logged out from that browser and will be logged in and can be used for malicious activities.
Recommendations:
If a Session is Updating from one Browser, the other should expire first to renew the session after login.
I have observed that when we change "password" from one browser in place of session expiration from another browser it just updates the password from another browser and the old session gets updated without being logged out.
Steps to reproduce:
1- Login from two browsers at a time [From Chrome browser and from Mozilla Firefox].
2- Change password in settings from chrome browser.
3- Now Check Mozilla Firefox.
4- Your Session got "updated" in place of expiration.
Impact:
If some account is logged in some browser it will not be logged out from that browser and will be logged in and can be used for malicious activities.
Recommendations:
If a Session is Updating from one Browser, the other should expire first to renew the session after login.