• Robert Lyon's avatar
    Session is not invalidating after password change (Bug #1363873) · f103c650
    Robert Lyon authored
    Scenario/testing:
    
    - Create an account, say User A and logout as admin.
    - In one browser login (this will be the hacker user)
    - In another browser reset pass via forgotten pass link
    
    What should happen:
    User in browser two should be able to reset pass then navigate about
    as when normally logged in. User in browser one should be forced to
    login again as their user sessionid is not valid anymore.
    
    Before patch:
    malicious user still has access until $USER->logout_time time expires
    
    After patch:
    malicious user foreced to re-login straight away on next page load
    
    Change-Id: I42ad907e5ffa7c128742a159116cf20dc6cd9b8a
    Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
    f103c650
lib.php 94.7 KB