[ OWASP - Montreal ] Terminate the current session on a password change

Pierre-Luc Simard pierreluc.simard at gmail.com
Tue Jul 14 10:53:41 EDT 2009


Before I answer, here are a fee reference from the OWASP:

OWASP guide on Session Management can be found here:
http://www.owasp.org/index.php/Session_Management

The guide talks about when to rotate a session identifier here:
http://www.owasp.org/index.php/Session_Management#Rotate_Session_Identifiers


Here the paragraph on when to Rotate Session Identifiers:
For high value sites, session identifiers should be regenerated prior to any
significant transaction, after a certain period of time and after a certain
number of requests. For medium and low value sites, Token regeneration
should be performed after a change in user privilege, such as moving from an
anonymous visitor to a logged in user or moving from a logged in user to an
administrator. If a user is moving from an insecure page on the site to a
more secure section of the site that uses HTTPS, the session ID should also
be regenerated so that the secure session ID has never been transmitted in
an unencrypted state. An additional session ID might be used instead of
regenerating the original session ID. Unless this capability is built in to
the application framework, it must implemented in addition to the
application framework session controls. The prior recommendations about
first leveraging platform security mechanisms still apply – because this
control measure often includes writing additional custom code for an
application the application should require the application framework session
management features to be in operation as well as this additional rotating
session identifier.

Now, if I understand correctly, your question is: "Is it a good practice to
terminate the current session on a password change?"

I assume that what you mean by terminate is more "rotate" i.e. change the
session identifier while keeping the rest of the session information intact.
If that case and that changing the password is a significant operation in
your application, the guide agrees with you right in the first sentence: "For
high value sites, session identifiers should be regenerated prior to any
significant transaction[...]".

This being said, if by terminate you meant actually logging the user out I
would not recommend it since it would create great confusion from the user
stand point. Also it would require creating a special exit page to indicate
that the password change operation was successful otherwise you may have
user complaining they cannot log back into the system.

Hope this helps.

Pierre-Luc Simard

On Mon, Jul 13, 2009 at 10:19 AM, gueb at owasp.org <gueb at owasp.org> wrote:

> I try to find a reference (on the internet or from you guys) on that one:
>
> I recommended someone to terminate the current session on a password
> change, because in my mind, you should not using a session with
> invalid credentials.
>
> Is it a must, a best practice, or is it too much?
>
> Thanks!
> _______________________________________________
> Owasp-montreal mailing list
> Owasp-montreal at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-montreal
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-montreal/attachments/20090714/8508ce31/attachment.html 


More information about the Owasp-montreal mailing list