[ OWASP - Montreal ] Terminate the current session on a password change

gueb at owasp.org gueb at owasp.org
Mon Jul 13 11:21:51 EDT 2009


If you change the password you create a new session and invalidate the
old one, but no need to re-logon on the website?

What is the good practice?

On Mon, Jul 13, 2009 at 10:41 AM, Sean Coates<sean at caedmon.net> wrote:
>> IMHO, there is no need to terminate the session from which the
>> password was changed; you already trust it since you allowed the
>> password to be changed from it. It would only be a pain for the user.
>
> I think you can trust the new session, but you should regenerate the session
> ID to avoid fixation.
>
>
>> However, if you are worried about security, you might want to only
>> allow one active session at a time.
>
> This is usually more annoying to me as a user than beneficial (-:
>
> S
>


More information about the Owasp-montreal mailing list