-
Improvement
-
Resolution: Fixed
-
Minor
-
3.1.3, 3.3, 4.2, 4.5
-
MOODLE_31_STABLE, MOODLE_33_STABLE, MOODLE_402_STABLE, MOODLE_405_STABLE
-
MOODLE_405_STABLE
-
MDL-58353-main -
-
2
-
Team Hedgehog Sprint 1.2, Team Hedgehog Sprint 1.3, Team Hedgehog Sprint 1 review, Team Hedgehog Sprint 2.1, Team Hedgehog Sprint 2.2, Team Hedgehog 2023 Sprint 1.3, Team Hedgehog 2024 Sprint 2.2, Team Hedgehog 2024 Sprint 2.3
From Moodle 2.9 onward, there is already an admin setting for "Log out after password change" (docs here), which logs out all sessions apart from the one changing the password.
However, this is disabled by default, and it is at admins' sole discretion whether other sessions are logged out on password reset. Revoking other sessions is considered security best practice, since it means someone using a compromised session should lose access to the account when the password is reset. With that in mind, I propose:
- We enable the "Log out after password change" (passwordchangelogout) setting by default on new sites.
- We implement functionality (such as a checkbox) on the password reset page which allows a user to invalidate other sessions during the password reset process.
- For #2, it should be possible for users to perform this action when the admin setting does not force it (is not enabled). However, if admins are enforcing it, then the logout should always occur, so the checkbox should be ticked and disabled so the user cannot prevent this from occurring.
- We may want to add additional text to the end of the the lang string for the admin setting, along the lines of "If disabled, users will be able to control whether other sessions are terminated while performing a password reset".
(Original issue analysed and above updated requirements written by michaelh )
Original report:
What Occurred:
We routinely update the password of our 'admin' account due to audit requirements. During the course of this, I was logged in to the 'admin' account on Browser A (Chrome) and Browser B (Firefox) prior to the password change.
I changed the password for the Admin account in Browser A. After this change, I was still able to browse successfully in Browser B as 'admin'.
What I Expected:
I expected that all sessions for the user would be revoked at that moment, and thus Browser B would have been logged out immediately (however this would only be evident the next page load)
What Happened:
Admin account in Browser B was NOT logged out, and retained full access.
Risk:
The risk of this is that if any account is compromised, changing the password while a user is logged in will NOT log any unauthorised users out, as a user would expect.
Mitigation:
It would be trivial to remove all existing sessions once the password has been changed. This occurs with many major online services.
Moodle versions tested:
3.1.3 (local testing)
3.3 (qa.moodle.net) - Tested with the 'manager' account. Likely affects accounts of all roles.
Likely other versions. I do not have easy access to others to allow testing.
Update
This is an old issue, but I can see this effecting Moodle back to 3.9 if it is considered a security issue.
- has a non-specific relationship to
-
MDL-70843 Add a "Log out after email change" site administration setting
- Open
-
MDL-82405 Combine 'passwordchangelogout' and 'passwordchangetokendeletion' admin settings
- Open
- has been marked as being related by
-
MDL-50168 Automatically populate updated values in $USER when user_update_user is called
- Closed
-
MDL-82417 Backport 'signoutofotherservices' and 'signoutofotherservices_help ' strings from MDL-58353
- Closed
- will be (partly) resolved by
-
MDL-47800 Logout user when somebody changes their password
- Closed