Opened 22 months ago

Last modified 22 months ago

#5499 new defect

Vulnerability Report 1 : Failure to invalidate session on Password Change

Reported by: ather iqbal Owned by: rails-dev@…
Priority: minor Milestone: OSM 0.5
Component: website Version: 2.0
Keywords: check quick and pay me Cc:


Hi team,

i am a security and this time i founded this vulnerability in your website

Vulnerability : Failure to invalidate session on Password Change

i observe that when we change password from one browser in place of session Expire from other browser its just update password from other browser and the old session got updated without being logout

Steps to check Session Management issue On password change :

1- login From two browser at a time [ From Chrome browser and From Mozilla Firefox ] 2- Change password in setting from chrome browser 3- Now Check Mozilla FireFox? 4- Your Session Got Updated in place of expiration


If Session is Updating From One Browser so Other Should Expire First to renew session after login



Ather Iqbal

Change History (1)

comment:1 Changed 22 months ago by Tom Hughes

Priority: criticalminor

This bug tracker is no longer in regular use - please use for reporting issues.

Perhaps you could explain why you feel this is a vulnerability - the other session was validly authenticated with the password that existed at the time. Presumably the argument is that IF a password is being changed because it has been compromised the old session might have been started by somebody who was not supposed to have been in possession of the password?

The problem is that I don't believe there is any way we can invalidate the session as things stand, because there is no way to find all the sessions for a given user.

Note: See TracTickets for help on using tickets.