A logged in user is capable of changing his/her password without re-authentication.
This makes it possible to take over accounts and locking out the legitimate user when other security issues exists (Session Cookie hijacking, CSRF, XSS, etc...), or if the user forgot to log out.
Good practice is to re-authenticate password changes to have a layered security approach.
A logged in user is capable of changing his/her password without re-authentication.
This makes it possible to take over accounts and locking out the legitimate user when other security issues exists (Session Cookie hijacking, CSRF, XSS, etc...), or if the user forgot to log out.
Good practice is to re-authenticate password changes to have a layered security approach.