Our application is comprised of an Ember.js SPA and a Rails API. We’re using lock.js.
Here’s the flow we have an issue with:
- Browser A is logged in
- Browser B is logged in
Now imagine a user logged into Browser A and B discovers she has been compromised. So the first thing she does is reset her password.
- Browser A requests a password change, receives the password change email, clicks the reset link and resets the password.
- Browser A remains logged in after the password change.
- Browser B appears to log the user out, but can simply click “log in” again, and click on their account listed under “last time you signed in with” and they are logged in again, without needing to know the updated password!
Step 5 is where everything goes wrong. Browser B should be forced to enter the new credentials to login again, but instead seemingly can just continue with the convenient last account used button.
You can just disable
rememberLastLogin on Lock.js (https://github.com/auth0/lock) to avoid providing the last login button… but step 5 suggests that the frontend is still able issue new sessions with old credentials.
Ultimately this all boils down to: is it possible invalidate all other sessions and credentials when their password is reset? Forcing them to fully re-authenticate.