Community
Participate
Working Groups
Vulnerability- All Active Session Not Expire Automatically After Changing Password Vulnerability description- When password is changed, not all active session expire automatically. * Industry Standard Procedure when the password is changed has been updated for any particular account, all the sessions which were active with the old password should be destroyed. * Reason if somehow anybody hacked into your account and you understand that someone has trespassed into your account, then what will you do? You will change your password to secure your account. But in www.eclipse.org changing the password does not destroys the other sessions which are logged in with old passwords. So, your account remains insecure even after the changing of password. Login with same www.westernunion.com account in two different browser. And try to change the password in anyone browser. And notice in 2nd browser that session not expire.
Agreed.
*** Bug 453778 has been marked as a duplicate of this bug. ***
My bug is 443883 and you were tag it duplicate of 453778. How it is possible ?
(In reply to TANUJ JANE from comment #3) > My bug is 443883 and you were tag it duplicate of 453778. > How it is possible ? Bug 453778 is a duplicate of your bug. Someone else created a bug about this after you.
(In reply to Christopher Guindon from comment #4) > (In reply to TANUJ JANE from comment #3) > > My bug is 443883 and you were tag it duplicate of 453778. > > How it is possible ? > > Bug 453778 is a duplicate of your bug. Someone else created a bug about this > after you. Hello, My id is 443883
Hello, Thwn who will get the credit of this bug ? Any Hall Of Fame or bounty ?
(In reply to Denis Roy from comment #1) > Agreed. Hello, Thwn who will get the credit of this bug ? Any Hall Of Fame or bounty ?
(In reply to TANUJ JANE from comment #7) > (In reply to Denis Roy from comment #1) > > Agreed. > > Hello, > Thwn who will get the credit of this bug ? > Any Hall Of Fame or bounty ? This should be fixed when we roll out the new site_login website: https://git.eclipse.org/c/websites/dev.eclipse.org.git/commit/?id=875a68e987ac2c6e1f43c9345627b8196cc2e5fe&context=3&ignorews=0&ss=0 If the user clicks on the e-mail link to reset his password, we will destroy all existing sessions for your user.
This is now live, closing this bug. thanks
(In reply to Christopher Guindon from comment #9) > This is now live, closing this bug. > > thanks Hello Christopher, Any HOF ?
(In reply to TANUJ JANE from comment #10) > (In reply to Christopher Guindon from comment #9) > > This is now live, closing this bug. > > > > thanks > > Hello Christopher, > Any HOF ? We are currently looking for a low-maintenance way of creating and maintaining an Hall of Fame page. Feel free to help us out on this bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=421105
(In reply to Christopher Guindon from comment #11) > (In reply to TANUJ JANE from comment #10) > > (In reply to Christopher Guindon from comment #9) > > > This is now live, closing this bug. > > > > > > thanks > > > > Hello Christopher, > > Any HOF ? > > We are currently looking for a low-maintenance way of creating and > maintaining an Hall of Fame page. > > Feel free to help us out on this bug: > https://bugs.eclipse.org/bugs/show_bug.cgi?id=421105 Hello Christopher, Any bounty ?
(In reply to TANUJ JANE from comment #12) > (In reply to Christopher Guindon from comment #11) > > (In reply to TANUJ JANE from comment #10) > > > (In reply to Christopher Guindon from comment #9) > > > > This is now live, closing this bug. > > > > > > > > thanks > > > > > > Hello Christopher, > > > Any HOF ? > > > > We are currently looking for a low-maintenance way of creating and > > maintaining an Hall of Fame page. > > > > Feel free to help us out on this bug: > > https://bugs.eclipse.org/bugs/show_bug.cgi?id=421105 > > Hello Christopher, > Any bounty ? We currently don't have a bounty program but we are currently working on a HOF page.
Another researcher is claiming that this is not working as expected; ie, even after changing passwords, some sessions remain active and usable. Looking at the patch in comment 8, I suspect some of it may be related to our usage of a Bugzilla ID.
(In reply to Denis Roy from comment #14) > Another researcher is claiming that this is not working as expected; ie, > even after changing passwords, some sessions remain active and usable. > Looking at the patch in comment 8, I suspect some of it may be related to > our usage of a Bugzilla ID. This works fine if the user use the "forgot my password" page. We should discuss if we should destroy all the session for the user if they change their password from their my account page. What we can do here is: If the user is changing his password under his my account page, we can destroy all the sessions and ask him to login again. Also, since we are here. I am thinking that we should destroy all sessions for a user if they decide to logout. Currently, we are only destroying the session that the user is currently using.
> We should discuss if we should destroy all the session for the user if they > change their password from their my account page. I initially was against destroy perfectly valid sessions because you simply decide to change your password. But the use-case that this researcher named was, if a user suspects that their account credentials may have leaked -- they'd want to change their password to ensure no one else can access their account. > What we can do here is: > > If the user is changing his password under his my account page, we can > destroy all the sessions and ask him to login again. +1 that doesn't seem to be unreasonable. And at the same time, the user can test their new password to make sure it in fact works. > Also, since we are here. I am thinking that we should destroy all sessions > for a user if they decide to logout. Currently, we are only destroying the > session that the user is currently using. +1
New Gerrit change created: https://git.eclipse.org/r/47093
Gerrit change https://git.eclipse.org/r/47093 was merged to [master]. Commit: http://git.eclipse.org/c/websites/dev.eclipse.org.git/commit/?id=966ba640d82c429f6ffd181b1f74961e9686316a
Chris, I've pulled in the changes to dev.eclipse.org if you'd like to sanity check.
(In reply to Denis Roy from comment #19) > Chris, I've pulled in the changes to dev.eclipse.org if you'd like to sanity > check. I found a small bug, can you pull in the changes again? thanks https://git.eclipse.org/c/websites/dev.eclipse.org.git/commit/?id=41652843916dbabce2cd5fdcb627b816496880fc
Done
(In reply to Denis Roy from comment #21) > Done Everything is working now! A password change will delete all sessions associated with the user. thanks
