If a user changes their password, any active tokens should be invalidated to prevent any open sessions that were initiated by logging in with the old password from persisting.

CommentFileSizeAuthor
#6 Screenshot 2023-04-06 at 4.10.06 PM.png47.18 KBgapple

Issue fork persistent_login-3138813

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

gapple created an issue. See original summary.

gapple’s picture

gapple
he/they
Primary language English
commented
Version: 8.x-1.x-dev » 2.x-dev
gapple’s picture

gapple
he/they
Primary language English
commented

Core already clears any active sessions (see \Drupal\user\Entity\User::postSave()), so this only needs to handle persistent tokens.

gapple opened merge request !6

  • gapple committed f21fa782 on 2.x 
    Issue #3138813 by gapple: Clear tokens on password change
gapple’s picture

gapple
he/they
Primary language English
commented
Status: Active » Fixed
Issue tags: +Security improvements
StatusFileSize
new Screenshot 2023-04-06 at 4.10.06 PM.png47.18 KB

Screenshot of new option on user form to clear persistent tokens on passord change

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.