When a user is logged into a web-based application in multiple tabs, and changes

Question

When a user is logged into a web-based application in multiple tabs, and changes their password should it automatically log them out of the other tabs? The use case is an account is compromised, the attacker logs in, the user also logs in and changes their password, however, since the attacker was already logged in, they are still granted access until they log out.

This seems to require storing the password bcrypt hash in session, and then every request check the session bcrypt hash against the bcrypt hash in the database. Is there an alternative approach?

Explanation / Answer

When a user logs out or changes their password, it should revoke their session token, which is usually a hash that identifies them, like fc2904-92385-4jf9

The server should know that the particular session token is no longer good, and so if you have the application open in other windows, and you attempt to continue browsing, the server should reject all of your requests due to the token expiry.

Related Questions

Navigate

• Browse (All)
• Browse W
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.