Invalidate old sessions/use new sessions after privilege changes #322

New Issue

tim · 2024-12-15T22:40:16Z

tim commented

2024-12-15 22:40:16 +00:00

SignUp
- ~~Invalidate old anonymous session~~
- ~~Create new session~~ (sign up does not sign in)
SignIn
- Invalidate old anonymous session
- create new session
- Invalid other old sessions (expires_at has been reached)
SignOut
- Invalidate only the current session
Password Change
- Invalidate all sessions except the current
Forgot Password
- Invalidate all sessions

All these actions have to invalidate the previous session Id

See https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#renew-the-session-id-after-any-privilege-level-change

* SignUp * ~~Invalidate old anonymous session~~ * ~~Create new session~~ (sign up does not sign in) * SignIn * Invalidate old anonymous session * create new session * Invalid other old sessions (expires_at has been reached) * SignOut * Invalidate only the current session * Password Change * Invalidate all sessions except the current * Forgot Password * Invalidate all sessions All these actions have to invalidate the previous session Id See https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#renew-the-session-id-after-any-privilege-level-change

tim added this to the security milestone 2024-12-15 22:40:16 +00:00

tim commented

2024-12-18 22:51:36 +00:00

Duplicate of #328

tim referenced this issue

2024-12-18 22:51:53 +00:00

Invalidate all Sessions after password change #328

tim changed title from ~~Invalidate sessions after events~~ to Invalidate old sessions/use new sessions after privilege changes

2024-12-18 22:53:04 +00:00

tim closed this issue

2024-12-31 10:54:19 +00:00

This repo is archived. You cannot comment on issues.