[ OWASP - Montreal ] Terminate the current session on a password change

gueb at owasp.org gueb at owasp.org
Mon Jul 13 10:19:41 EDT 2009


I try to find a reference (on the internet or from you guys) on that one:

I recommended someone to terminate the current session on a password
change, because in my mind, you should not using a session with
invalid credentials.

Is it a must, a best practice, or is it too much?

Thanks!


More information about the Owasp-montreal mailing list