Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#31179 closed Bug (invalid)

Using the "forgot password" mechanism doesn't invalidate other sessions

Reported by: Mike Lissner Owned by: Rishabh Verma
Component: contrib.auth Version: dev
Severity: Normal Keywords: forgot password, reset password, sessions logs out
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


(I don't think this is enough of a vuln to not file publicly, since no way to really take advantage of it.)

We just received a vulnerability report that when a user learns that their account has been hijacked, forgets their password, and uses the "Forgot Password" link, Django doesn't invalidate the hijacked cookies, despite the user just changing their password.

Django *does* invalidate cookies when passwords are reset via other mechanisms, but not when they're done this way.

I haven't tested this, but I think a one-line patch could be added here:

I *think* we just need to add:

update_session_auth_hash(self.request, form.user)

And that might do it?

Change History (4)

comment:1 Changed 4 years ago by Rishabh Verma

Owner: changed from nobody to Rishabh Verma
Status: newassigned
Triage Stage: UnreviewedAccepted

comment:2 Changed 4 years ago by Rishabh Verma

Keywords: forgot password reset password sessions logs out added

comment:3 Changed 4 years ago by Marten Kenbeek

Resolution: invalid
Status: assignedclosed

Just updating the password is enough to invalidate all sessions. As you can see in User.get_session_auth_hash(), the session hash is an HMAC of the current password hash. Any session which does not have the correct session hash after the password has been updated is automatically discarded when accessed.

What update_session_auth_hash() does is revalidate the current session, by saving the new session hash in it. This prevents that a logged in user has to log in again when they've just entered both their old and new passwords in the very same session.

In PasswordResetView, the user is not expected to be logged in, so revalidating the session has no effect.

comment:4 Changed 4 years ago by Mike Lissner

Curious. I thought I reproduced it too, but perhaps I didn't do my test properly. I'm checking with the vulnerability reporter if he can reproduce it and will reopen if there's some subtlety we've missed (I suspect not!).

Thanks for the response and sorry for taking your time.

Note: See TracTickets for help on using tickets.
Back to Top