Hi,
Is there any way to kill all active sessions that are active in different tabs or window.
Scenario : If i open application in multiple tabs and reset password in one tab, i could able to login with old password in other tabs.
My scenario is,
I have logged into two browsers Microsoft edge and chrome, when i reset my password in chrome and just do API call in edge browser(no reload of application) that would give me proper data without logging out. Usually that should be logged out.
I have set Redirect To as logout URL in email template change password that would logout my application and redirected to login page again.
Is this an issue in Auth0.
I can confirm.
The security risk is when a user forgets to sign out and delete the active browser session at a public place.
A user has no way of invalidating all active sessions, not even with a password reset.
Steps to reproduce:
- Login with browser B1 to create session S1
- Login with browser B2 to create session S2
- Request password reset in browser B2; confirm to change password
- Use new password to login with browser B2 to create session S3
Even after resetten the password, session S1 in browser B1 remains active and can be abused.
I recon this scenario can also be abused when a session can be duplicated by an attacker. Even when the victim is alerted by the session duplication it has no way mitigating the attack by ending all sessions and re-authenticate.
I can’t reproduce the issue in the original post, as well as the last one by @larsatfugacloud
Just to confirm: you are talking about Auth0 sessions, not application sessions, right?
Referring to the different session layers as described at Sessions
Auth0 sessions are reset when a user’s password or email address changes.
Hello, a bug bounty hunter just reported the same to us and he talks about Auth0 session. Can you confirm that this is no true? The report we received:
Suppose, you have an account https://lumeer.eu.auth0.com/login?state=
Somehow an attacker manage to get your password and logged in your account… after knowing that your ID has been compromised what you’ll do ?
I guess first thing that will popup into your head is, “I should change my password!” and you’ll change the password… maximum users just change his/her password when they recover their ID.
in https://lumeer.eu.auth0.com/login?state=//users/sign_in changing the password doesn’t destroys the other sessions which are logged in with old passwords.
(Logging in with the new password doesn’t invalidate the older sessions either)
As other sessions is not destroyed, attacker will be still logged in your account even after changing password, cause his session is still active… he’ll have complete access on your account till that session expires!
So, your account remains insecure even after the changing of password.
1 Like
Would love to see an Auth0 response to this
Would be curious about this to.
Someone brought this post to my attention, sorry for the delay. It sounds like what the previous user mvecera is describing is an issue of the different session layers not all being cleared. Sessions
Keep in mind, using changing passwords to clear sessions is only able to clear the Auth0 session in this case. Your application session specifically has to be cleared by you.
“This layer is the session inside your application. Though your application uses Auth0 to authenticate users, your application also tracks that the user has logged in to your application; in a regular web application, for example, you achieve this by storing this information inside a cookie.”
“Logging users out of your applications typically results in their application session being cleared, and this should be handled by your application: for the Application Session Layer, there is nothing within your Auth0 tenant that you need to use to facilitate session termination. This will require you to utilize whatever application session stack you are using to clear out any session related information. Note that some of the Auth0 SDKs do provide some support for application sessions; please check the documentation to see if there is any local SDK session removal that needs to be done.”
I would need more details to give a complete answer but this is my assumption based on what I’ve read. Resetting the password will end the Auth0 session for the user, but if they already have an Application session set up they will have a token to your application. The Auth0 session for this user has been ended but they are still able to access the Application itself because that session was not cleared. Depending on application type and how this is configured will alter how sessions need to be cleared.
If you have a specific issue or example to review you can open a case with our support team or provide some details here to review.
1 Like
Thanks for following-up on this Dylan!
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.