Community
Participate
Working Groups
Hello there Steps to reproduce the bug : Step 1 : Go to Browser A at and login with your credentials at https://accounts.eclipse.org/user/login and login with your credentials. Step 2 : Similarly, Go to Browser B at and login with your same credentials at https://accounts.eclipse.org/user/login and login with your credentials. Step 3 : Suppose Browser B is an shared computer's browser, and you left your account logged in at that computer. Go to Browser A and change your account password. Step 4 : When you change your account password at Browser A , the session at Browser B should expire and the account should automatically logged out. Step 5 : Go to Browser B , and visit your account page and refresh the page. You will notice that even after changing the account password at Browser A , the session at Browser B didn't expired which can cause major problems. And also after that i can change user information Thanks Impact Authentication and session management includes all aspects of handling user authentication and managing active sessions. Authentication is a critical aspect of this process, but even solid authentication mechanisms can be undermined by flawed credential management functions, including password change, forgot my password, remember my password, account update, and other related functions. Because “walk by” attacks are likely for many web applications, all account management functions should require reauthentication even if the user has a valid session id.
Marking as Committer-only group for handling security advisories in a closed fashion.
I created a patch that will delete any duplicate session of a user on logout: https://foundation.eclipse.org/r/2924
This should be fixed now! Could you confirm?
