Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-58353

Empower users to be able to log out other sessions during password reset

Details

    • MOODLE_31_STABLE, MOODLE_33_STABLE, MOODLE_402_STABLE, MOODLE_405_STABLE
    • MDL-58353-main
    • Hide

      Check default for passwordchangelogout

      1. Log in as admin
      2. Go to Site admin -> Security -> Site security settings
      3. CONFIRM that default setting for 'Log out after password change' is 'Yes'

      Manage sessions page

      1. Log in as a student using the same credentials on 3 different browsers.
      2. On one of your browser sessions, click on your user profile icon and choose 'Profile'.
      3. Click the 'Browser sessions' link under the 'Reports' section.
      4. CONFIRM that there is a new button below the table allowing you to log out all sessions.
      5. Click on 'Log out all other sessions' button.
      6. CONFIRM you see a message informing you have been logged out of the other sessions.
      7. CONFIRM there is only one session in the table (the current one).
      8. Using the other browser sessions you have open, attempt to navigate to any other page.
      9. CONFIRM that you are logged out from each __ other browser.

      Password change logs out other sessions

      1. Log in as admin
      2. Go to Site admin -> Security -> Site security settings
      3. ENSURE that 'Log out after password change' is set to 'Yes' (enabled)
      4. Log in as a student using the same credentials on 2 different browsers.
      5. In one of the browsers (doesn't matter which), click on your user profile icon and choose 'Preferences'
      6. Click the 'Change password' link
      7. CONFIRM there is a checkbox at the end of the form that says 'Log out all other sessions' and it is 'checked' and it is 'disabled'
      8. Fill out the form to change the password and save changes
      9. Go to your other browser session and attempt to navigate to a different page.
      10. CONFIRM you are logged out from that browser session.
      11. Repeat this test steps, but this time disable the admin setting on step #3 and CONFIRM that you can manually set the 'Log out all other sessions' checkbox and get the same end result.
      Show
      Check default for passwordchangelogout Log in as admin Go to Site admin -> Security -> Site security settings CONFIRM that default setting for 'Log out after password change' is 'Yes' Manage sessions page Log in as a student using the same credentials on 3 different browsers. On one of your browser sessions, click on your user profile icon and choose 'Profile'. Click the 'Browser sessions' link under the 'Reports' section. CONFIRM that there is a new button below the table allowing you to log out all sessions. Click on 'Log out all other sessions' button. CONFIRM you see a message informing you have been logged out of the other sessions. CONFIRM there is only one session in the table (the current one). Using the other browser sessions you have open, attempt to navigate to any other page. CONFIRM that you are logged out from each __ other browser. Password change logs out other sessions Log in as admin Go to Site admin -> Security -> Site security settings ENSURE that 'Log out after password change' is set to 'Yes' (enabled) Log in as a student using the same credentials on 2 different browsers. In one of the browsers (doesn't matter which), click on your user profile icon and choose 'Preferences' Click the 'Change password' link CONFIRM there is a checkbox at the end of the form that says 'Log out all other sessions' and it is 'checked' and it is 'disabled' Fill out the form to change the password and save changes Go to your other browser session and attempt to navigate to a different page. CONFIRM you are logged out from that browser session. Repeat this test steps, but this time disable the admin setting on step #3 and CONFIRM that you can manually set the 'Log out all other sessions' checkbox and get the same end result.
    • 2
    • Team Hedgehog Sprint 1.2, Team Hedgehog Sprint 1.3, Team Hedgehog Sprint 1 review, Team Hedgehog Sprint 2.1, Team Hedgehog Sprint 2.2, Team Hedgehog 2023 Sprint 1.3

    Description

      From Moodle 2.9 onward, there is already an admin setting for "Log out after password change" (docs here), which logs out all sessions apart from the one changing the password.

      However, this is disabled by default, and it is at admins' sole discretion whether other sessions are logged out on password reset. Revoking other sessions is considered security best  practice, since it means someone using a compromised session should lose access to the account when the password is reset. With that in mind, I propose:

      1. We enable the "Log out after password change" (passwordchangelogout) setting by default on new sites.
      2. We implement functionality (such as a checkbox) on the password reset page which allows a user to invalidate other sessions during the password reset process.
      3. For #2, it should be possible for users to perform this action when the admin setting does not force it (is not enabled). However, if admins are enforcing it, then the logout should always occur, so the checkbox should be ticked and disabled so the user cannot prevent this from occurring.
      4. We may want to add additional text to the end of the the lang string for the admin setting, along the lines of "If disabled, users will be able to control whether other sessions are terminated while performing a password reset".

      (Original issue analysed and above updated requirements written by michaelh )

      Original report:

      What Occurred:
      We routinely update the password of our 'admin' account due to audit requirements. During the course of this, I was logged in to the 'admin' account on Browser A (Chrome) and Browser B (Firefox) prior to the password change.

      I changed the password for the Admin account in Browser A. After this change, I was still able to browse successfully in Browser B as 'admin'.

      What I Expected:
      I expected that all sessions for the user would be revoked at that moment, and thus Browser B would have been logged out immediately (however this would only be evident the next page load)

      What Happened:
      Admin account in Browser B was NOT logged out, and retained full access.

      Risk:
      The risk of this is that if any account is compromised, changing the password while a user is logged in will NOT log any unauthorised users out, as a user would expect.

      Mitigation:
      It would be trivial to remove all existing sessions once the password has been changed. This occurs with many major online services.

      Moodle versions tested:
      3.1.3 (local testing)
      3.3 (qa.moodle.net) - Tested with the 'manager' account. Likely affects accounts of all roles.
      Likely other versions. I do not have easy access to others to allow testing.

       

      Update
      This is an old issue, but I can see this effecting Moodle back to 3.9 if it is considered a security issue.

      Attachments

        Issue Links

          Activity

            People

              david.woloszyn@moodle.com David Woloszyn
              james.mclean James McLean
              Michael Hawkins Michael Hawkins
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 4 hours, 21 minutes
                  1d 4h 21m

                  Clockify

                    Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.