[ OWASP - Montreal ] Terminate the current session on a password change

Sean Coates sean at caedmon.net
Mon Jul 13 10:41:02 EDT 2009

> IMHO, there is no need to terminate the session from which the
> password was changed; you already trust it since you allowed the
> password to be changed from it. It would only be a pain for the user.

I think you can trust the new session, but you should regenerate the  
session ID to avoid fixation.

> However, if you are worried about security, you might want to only
> allow one active session at a time.

This is usually more annoying to me as a user than beneficial (-:


More information about the Owasp-montreal mailing list