- Assigned to sksanjoo2
Follow-up to #2508627: Changing email address should invalidate one-time login links →
Assume I realize I left myself logged into a shared computer to my Drupal site account.
I change my password to protect myself.
However, the session on the shared computer is NOT invalidated and anyone with access to that machine continues to have access to my Drupal site account.
Add to the session API a method that allows invalidating all sessions based on username or uid.
\Drupal\Core\Session\SessionManager\SessionManager, similar to \Drupal\Core\Session\SessionManager\SessionManager::delete(), that deletes all sessions EXCEPT the current one — suggested ::deleteOther() — see patch in #13.n/a
API addition
Need to expand the session API to support invalidating all sessions for a user, and make that an API back-ends need to support in some way.
Because of that requirement for back-ends to support it, this is not something that can readily be added in 8.1.x so must be added to 8.0.x
None
For drupal 7 there are contrib solutions that work only for SQL session storage: https://www.drupal.org/node/2294061 →
original report was part of the Drupal 8 bug bounty
https://tracker.bugcrowd.com/submissions/39a728dfa89b4029bbc15499c410b97...
https://tracker.bugcrowd.com/submissions/756a3dbf67e9f3e917f4525c0ef9c35...
Fixed
10.0 ✨
Last updated
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.