Invalidate previous session on password change and force user to log in again

  • Resolved Laurie

    (@tlmwebmaster)


    2 years, 9 months ago

    We received an email from an “ethical hacker” about the issue of changing a password in one browser while logged in another browser. The session in the second browser is still valid with a password change. I’ve raised this with our hosting service (Siteground) and our security service (Sucuri). They both say this is something that needs to be addressed but that session management isn’t part of their responsibility and that I need to hire a developer.

    I’ve seen this issue in a couple of forum questions but they don’t have real answers (one decided to ignore it and one was never followed up).

    I’m looking for either something I can do within WordPress to force ending all sessions on password change or information on how I can find a developer to help me.

    • This topic was modified 2 years, 9 months ago by Jan Dembowski.

    The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    take a look at https://www.ads-software.com/plugins/user-login-control/

    Thread Starter Laurie

    (@tlmwebmaster)

    Thank you for the quick reply and suggestion.

    I’m hesitant to install this plug-in. It doesn’t appear to have a track record with # of users or reviews and the link to the developer “xdigital” is broken.

    Do you have experience with the plug-in?

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Nope. But for what it’s worth, I opened my test site in a window and logged in as admin. I opened an incognito window and logged in as a test, non-admin user. I then changed the test user’s password in the first window. When I tried to reload the test user’s dashboard in the 2nd window, I was taken to a login screen. So, changing a user’s password does invalidate their logged in session.

    Thread Starter Laurie

    (@tlmwebmaster)

    Thank you for the research. I followed your path of testing in various scenarios with different browsers. In each test, when I changed the password in one browser, I had to login again in the second browser with the new password. So the email was a scam.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    “Dear Laurie: We’ve detected a serious problem with your website. Send money.” ??

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Invalidate previous session on password change and force user to log in again’ is closed to new replies.