Bug 540550

Description Turan Al Ayat 2018-10-29 00:14:16 EDT

Hello there

Steps to reproduce the bug :
Step 1 : Go to Browser A at and login with your credentials at https://accounts.eclipse.org/user/login and login with your credentials.

Step 2 : Similarly, Go to Browser B at and login with your same credentials at https://accounts.eclipse.org/user/login and login with your credentials.

Step 3 : Suppose Browser B is an shared computer's browser, and you left your account logged in at that computer. Go to Browser A and change your account
password.

Step 4 : When you change your account password at Browser A , the session at Browser B should expire and the account should automatically logged out.

Step 5 : Go to Browser B , and visit your account page and refresh the page.

You will notice that even after changing the account password at Browser A , the session at Browser B didn't expired which can cause major problems. And also after that i can change user information

Thanks

Impact
Authentication and session management includes all aspects of handling user authentication and managing active sessions. Authentication is a critical aspect of this process, but even solid authentication mechanisms can be undermined by flawed credential management functions, including password change, forgot my password, remember my password, account update, and other related functions. Because “walk by” attacks are likely for many web applications, all account management functions should require reauthentication even if the user has a valid session id.