While making browser requests in the other sessions after a password
change or reset does not allow you to be logged in and correctly
invalidates the session making the request, sessions have API tokens
associated with them, which can still be used until that session
is invalidated.
This is a security issue for accounts that were already compromised
some other way because it makes it harder to throw out the hijacker.
layout 'auth'
+ def update
+ super do |resource|
+ resource.session_activations.destroy_all if resource.errors.empty?
+ end
+ end
+
private
def check_validity_of_reset_password_token
not_found
end
+ def update
+ super do |resource|
+ resource.clear_other_sessions(current_session.session_id) if resource.saved_change_to_encrypted_password?
+ end
+ end
+
protected
def update_resource(resource, params)
params[:password] = nil if Devise.pam_authentication && resource.encrypted_password.blank?
+
super
end
ip: request.remote_ip).session_id
end
- def exclusive_session(id)
+ def clear_other_sessions(id)
session_activations.exclusive(id)
end
cat aescling's git repositories / mastodon.git / commitdiff