Force Logout on All Device after Password Reset

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
2 года назад
Hello All,

Below is the my scenario. How can i do user force logout from all devices?

The server does not invalidate the previous session once the password is changed by the legitimate user.

How to reproduce?-

Login in to Your Account using firefox.

Now login to the same  account using google chrome.

Let's assume a website user's account is compromised so he wants to change his password, he will navigate to the forgot password page or simply the password change page and will change his password in the chrome browser.

Web user is able to change his password and the session from which the password changes is logged out but it was observed that still the previous session in firefox is not invalidated and I was actually able to browse the website from both the sessions.

Impact-
If the web user's account is compromised, he will simply change his password but if the previous session is not invalidated there is no use of changing the password.

Remediation- Invalidate the previous session once the password has been changed and enforce the web user to relogin in the website.
Thanks & Kind Regards
If this will help you please vote up.
Customization|Plugins|Themes|Upgrade|
If you need any help, please PM me.
0
2 года назад
it's already added as milestone for nopCommerce v4.60
https://github.com/nopSolutions/nopCommerce/issues/4987
https://nop-station.com
We are nopCommerce #1 gold partner and one stop E-commerce solution provider
For any queries: [email protected]
Team Skype:  [email protected]
1
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.