Previously created sessions continue being valid after initial 2FA activation
dd32 opened this issue · 0 comments
Is your enhancement related to a problem? Please describe.
When activating 2FA on an account, existing login sessions remain active.
Steps To Reproduce:
- Access the same account on example.com in two devices
- On device 'A' go to example.com> complete all steps to activate the 2FA system
Now the 2FA is activated for this account - Back to device 'B' reload the page
The session still active
This is considered to be not-ideal, as users who are setting up 2FA may be doing it in response to a compromised account.
This is a low-impact issue however, as changing ones password will invalidate other sessions already, and there's also a Destroy other sessions profile setting.
The password changing causing other sessions to expire is a good enough reason to me why enabling 2FA should also invalidate other sessions.
This was reported via HackerOne by Tanvir0x1.
Proposed Solution
When 2FA is enabled for login, existing sessions should be terminated automatically without having to click Destroy other sessions.
Designs
No response
Describe alternatives you've considered
No response
Please confirm that you have searched existing issues in this repository.
Yes