Updating your password should require re-authentication on all devices
Opened this issue · 0 comments
If a user changes their password because they suspect someone has gained access to their account, other devices that are logged in to that account can still post and reply, and possibly even still access the account section if they recently authenticated.
All devices should be signed out and require re-authentication. citizen's session.end()
function can close all open server-side sessions for a given user_id
:
app.session.end({ key: 'user_id', value: session.user_id })
However, any device with the username cookie hash will still have access. Since the server can't push a cookie deletion, the user's account will need to be flagged as requiring re-authentication at their next visit. Any cookied device would encounter that flag and be bumped to the sign-in form.
A possible solution is a new column in the users
table called require_auth
(boolean) that gets set when the user performs a related action (updating their e-mail address or password).