Invalidating session on password change

• 

  lisa200418 · Member · Apr 16, 2021 at 2:55 pm

  • Copy link
  • Add topic to favorites

  I received an interesting email from ‘Ethical Hacker’:
  Description of the issue-The server does not invalidate the previous session once the password is changed by the legitimate user.
  How to reproduce?-Login in to Your Account using firefox. Now login to the same account using google chrome.

  Lets assume website user’s account is compromised so he wants to change his password, he will navigate to forgot password page or simply password change page and will change his password in the chrome browser.

  Web user is able to change his password and the session from which the password changes is logged out but it was observed that still the previous session in firefox is not invalidated and i was actually able to browse the website from both the sessions.

  Impact-If the web user’s account is compromised, he will simply change his password but if the previous session is not invalidated there is no use of changing the password.

  Remediation- Invalidate the previous session once the password has been changed and enforce the web user to relogin in the website.

  Have you seen this issue? Do you have a way to prevent it? I use the Jupiter theme and Woocommerce. I appreciate any assistance you can provide.

• 

  staff-blorbo · Staff · Apr 16, 2021 at 6:36 pm

  • Copy link

  I don’t see any WordPress.com sites under your account here.

  What is the URL of the site with the problem?

• 

  lisa200418 · Member · Apr 16, 2021 at 6:38 pm

  • Copy link

  our website is http://www.teamwavelength.com

• 

  staff-blorbo · Staff · Apr 16, 2021 at 6:47 pm

  • Copy link

  Your site is not hosted with WordPress.com. It is a site using the open-source WordPress software (from WordPress.org) but hosted elsewhere.

  Because WordPress.com and WordPress.org are two entirely separate entities, we cannot access files or data for sites that are hosted elsewhere, so WordPress.com staff can only assist with sites that are hosted on our servers. You can find more information here about the differences between WordPress.org software and WordPress.com: https://wordpress.com/support/com-vs-org/

  https://wordpress.org/support/ is a great resource for sites using the open source WordPress.org software, and you can find support for that at: https://wordpress.org/support/forums/

  Your hosting provider’s support team may also be able to assist.