Details
-
Type:
New Feature
-
Status: Open
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: 3.5.0-b1
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
Description
Some users may wish to disable this, so it should likely be a system setting.
It may be a security concern for some users to invalidate current valid active sessions for a user after that user's password has changed. To accomplish this:
- When a user's password is changed generate a hash based on the new password hash value:
- v = HMAC+SHA-256(USERS PASSWORD HASH FROM DB, SECRET KEY)
- t = SUBSTR(v, 0, 6)
- Store t (token) in the user's session when the user logs in
- When validating a user's session, ensure that t matches the computed value for the user
- If t not present, or t does not match the computed value, destroy session
- If t matches the computed value, the user's session is valid.
Obviously, this check only needs to take place if the user is authenticated.
When enabled, will invalidate all currently active sessions, thus requiring all users to re-authenticate (log in).
Issue Links
- relates to
-
CORE-1324
Add staff group option to restrict logins to specific IP addresses
-
- Open
-
