[ OWASP - Montreal ] Terminate the current session on a password change

Sean Coates sean at caedmon.net
Mon Jul 13 13:39:56 EDT 2009


> If you change the password you create a new session and invalidate the
> old one, but no need to re-logon on the website?

Yeah. I don't see a need to have the user re-log-in; they've just  
supplied the new password.

S



More information about the Owasp-montreal mailing list