[ OWASP - Montreal ] Terminate the current session on a password change

simon at comeau.info simon at comeau.info
Mon Jul 13 10:37:57 EDT 2009


IMHO, there is no need to terminate the session from which the  
password was changed; you already trust it since you allowed the  
password to be changed from it. It would only be a pain for the user.

However, if you are worried about security, you might want to only  
allow one active session at a time.

--
Simon Comeau Martel
simon at comeau.info
https://comeau.info

On 2009-07-13, at 10:19, "gueb at owasp.org" <gueb at owasp.org> wrote:

> I try to find a reference (on the internet or from you guys) on that  
> one:
>
> I recommended someone to terminate the current session on a password
> change, because in my mind, you should not using a session with
> invalid credentials.
>
> Is it a must, a best practice, or is it too much?
>
> Thanks!
> _______________________________________________
> Owasp-montreal mailing list
> Owasp-montreal at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-montreal


More information about the Owasp-montreal mailing list