Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-75992

Invalidate all existing sessions upon password change

    Details

    • Priority Level:
      Low

      Description

      In out of the box Liferay, when a user changes their password, the reset doesn't invalidate existing sessions.

      Assume an attacker who gained access to a user account and being logged in. The user changes their password, however, the attacker still has access as long as they don't let their session expire, until the session doesn't become invalid in any other way.

      The password reset hasn't actually protected the account immediately.

       

        Attachments

          Activity

            People

            Assignee:
            support-lep@liferay.com SE Support
            Reporter:
            adam.zsolnay Adam Zsolnay
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Packages

                Version Package