#31179 closed Bug (invalid)
Using the "forgot password" mechanism doesn't invalidate other sessions
Reported by: | Mike Lissner | Owned by: | Rishabh Verma |
---|---|---|---|
Component: | contrib.auth | Version: | dev |
Severity: | Normal | Keywords: | forgot password, reset password, sessions logs out |
Cc: | Triage Stage: | Accepted | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
(I don't think this is enough of a vuln to not file publicly, since no way to really take advantage of it.)
We just received a vulnerability report that when a user learns that their account has been hijacked, forgets their password, and uses the "Forgot Password" link, Django doesn't invalidate the hijacked cookies, despite the user just changing their password.
Django *does* invalidate cookies when passwords are reset via other mechanisms, but not when they're done this way.
I haven't tested this, but I think a one-line patch could be added here:
https://github.com/django/django/blob/master/django/contrib/auth/views.py#L300-L305
I *think* we just need to add:
update_session_auth_hash(self.request, form.user)
And that might do it?
Change History (4)
comment:1 by , 5 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
Triage Stage: | Unreviewed → Accepted |
comment:2 by , 5 years ago
Keywords: | forgot password reset password sessions logs out added |
---|
comment:3 by , 5 years ago
Resolution: | → invalid |
---|---|
Status: | assigned → closed |
comment:4 by , 5 years ago
Curious. I thought I reproduced it too, but perhaps I didn't do my test properly. I'm checking with the vulnerability reporter if he can reproduce it and will reopen if there's some subtlety we've missed (I suspect not!).
Thanks for the response and sorry for taking your time.
Just updating the password is enough to invalidate all sessions. As you can see in User.get_session_auth_hash(), the session hash is an HMAC of the current password hash. Any session which does not have the correct session hash after the password has been updated is automatically discarded when accessed.
What
update_session_auth_hash()
does is revalidate the current session, by saving the new session hash in it. This prevents that a logged in user has to log in again when they've just entered both their old and new passwords in the very same session.In
PasswordResetView
, the user is not expected to be logged in, so revalidating the session has no effect.