Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-75992

Invalidate all existing sessions upon password change

    Details

      Description

      In out of the box Liferay, when a user changes their password, the reset doesn't invalidate existing sessions.

      Assume an attacker who gained access to a user account and being logged in. The user changes their password, however, the attacker still has access as long as they don't let their session expire, until the session doesn't become invalid in any other way.

      The password reset hasn't actually protected the account immediately.

       

        Attachments

          Activity

            People

            • Assignee:
              support-lep@liferay.com SE Support
              Reporter:
              adam.zsolnay Adam Zsolnay
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Packages

                Version Package