Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Most users usually (only?) change their password when they suspect it has been compromised. Therefore, when a password is changed, it is sensible to destroy all existing open sessions for that user account except the one that changed the password.
Patch attached.
Comment | File | Size | Author |
---|---|---|---|
user-pass-patch.txt | 820 bytes | bjaspan |
Comments
Comment #1
moshe weitzman CreditAttribution: moshe weitzman commentedthats perfectly sensible. rtbc.
Comment #2
kbahey CreditAttribution: kbahey commented+1, as I said on the devel mailing list.
Comment #3
Dries CreditAttribution: Dries commentedGood catch. Committed to CVS HEAD. Thanks!
Comment #4
m3avrck CreditAttribution: m3avrck commentedThis should be in 5 too, no?
Comment #5
bjaspan CreditAttribution: bjaspan commentedI'd say so. I do not think it is worthy of a security advisory but it is a security improvement.
Comment #6
drummCommitted to 5.
Comment #7
(not verified) CreditAttribution: commented