[ OWASP - Montreal ] Terminate the current session on a password change
sean at caedmon.net
Mon Jul 13 10:41:02 EDT 2009
> IMHO, there is no need to terminate the session from which the
> password was changed; you already trust it since you allowed the
> password to be changed from it. It would only be a pain for the user.
I think you can trust the new session, but you should regenerate the
session ID to avoid fixation.
> However, if you are worried about security, you might want to only
> allow one active session at a time.
This is usually more annoying to me as a user than beneficial (-:
More information about the Owasp-montreal