Fix password change/reset not immediately invalidating other sessions (#12928)
While making browser requests in the other sessions after a password change or reset does not allow you to be logged in and correctly invalidates the session making the request, sessions have API tokens associated with them, which can still be used until that session is invalidated. This is a security issue for accounts that were already compromised some other way because it makes it harder to throw out the hijacker.local
parent
ce1dee85b5
commit
daf71573d0
3 changed files with 14 additions and 1 deletions
Loading…
Reference in new issue