Most users usually (only?) change their password when they suspect it has been compromised. Therefore, when a password is changed, it is sensible to destroy all existing open sessions for that user account except the one that changed the password.

Patch attached.

CommentFileSizeAuthor
user-pass-patch.txt820 bytesbjaspan
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

moshe weitzman’s picture

moshe weitzman CreditAttribution: moshe weitzman commented
Status: Active » Reviewed & tested by the community

thats perfectly sensible. rtbc.

kbahey’s picture

kbahey CreditAttribution: kbahey commented

+1, as I said on the devel mailing list.

Dries’s picture

Dries CreditAttribution: Dries commented
Status: Reviewed & tested by the community » Fixed

Good catch. Committed to CVS HEAD. Thanks!

m3avrck’s picture

m3avrck CreditAttribution: m3avrck commented
Version: 6.x-dev » 5.x-dev
Status: Fixed » Reviewed & tested by the community

This should be in 5 too, no?

bjaspan’s picture

bjaspan CreditAttribution: bjaspan commented

I'd say so. I do not think it is worthy of a security advisory but it is a security improvement.

drumm’s picture

drumm
he/him
Location NY, US
CreditAttribution: drumm commented
Status: Reviewed & tested by the community » Fixed

Committed to 5.

Anonymous’s picture

(not verified) CreditAttribution: commented
Status: Fixed » Closed (fixed)