Our Drupal 7.27 site has about 300k users. We do not use any session/login-modifications like SSO etc.
A colleague of mine reported to me yesterday that he was logged into another user's account after he had used the password recovery function (he supplied a screenshot to me which clearly shows that he's correct). He logged out and logged in again. This time he was correctly logged into his own account. We've not been able to reproduce the issue nor have there been any reports from our users. We've updated/added the following modules recently (all at newest version): Zen Theme, Flag Module, External Links Module.

Comments

Miro Goepel’s picture

Miro Goepel CreditAttribution: Miro Goepel commented
Title: User was loged into another user's account after password recovery » User was logged into another user's account after password recovery
Miro Goepel’s picture

Miro Goepel CreditAttribution: Miro Goepel commented
Issue summary: View changes
David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented

If you have more details or can isolate this to something in Drupal core or contrib (rather than any custom code running on the site), please report it to the Drupal security team at https://security.drupal.org/node/add/project-issue/drupal rather than here... thanks.

Miro Goepel’s picture

Miro Goepel CreditAttribution: Miro Goepel commented

Thanks for your reply, David. As I've said, we don't have any custom code running on our site which interferes with sessions or the password recovery function. We will keep an eye out for any other occurrence of this issue, but at the moment, there's not much else to document than "it has happened once and we don't know why or how to reproduce it".

cilefen’s picture

cilefen CreditAttribution: cilefen commented
Status: Active » Closed (cannot reproduce)

It has been over a year with no reported reoccurrences. This issue will remain in search results should it need to be reopened.