Cache'd authentication credentials

dweinst avatardweinst created an issue

If the user's bitbucket password has changed it should disable access using any stale cookies/cached credentials so that if leaked they can no longer be used.

Also, there should be a request for the current password to confirm that the cached credentials aren't be abused to easily change the password.

One way this might happen is for someone to distribute a VM with browser web history which a malicious user could then exploit to subvert an existing account. The mitigation would be that 1) that malicious user wouldn't be able to change the password without also knowing the password, and 2) once the legitimate user realizes this, she can change the password or clear out any cached authentications.

I realize this might change the session handling process, but perhaps these should be ephemeral anyway?

David

Comments (4)

  1. Jesper Nøhr
    • changed status to open

    Thanks for raising this issue. You're absolutely right; it does not make sense to keep sessions lying around when you change your password.

    I've made the change now, so that when you change your password, older sessions will be immediately invalidated. While I was at it, I've also made a small page under your account settings, where you can see your current sessions. It looks like this: http://cl.ly/15300T1K3E1L0F1j2e3u

    This will go out to production tomorrow.

    Leaving as open until it's been deployed.

  2. Jesper Nøhr

    Nope, we recently removed that, purposely. We didn't think it was particularly helpful in general, and it was cumbersome when tied in with our new teams feature. So we decided to remove the "old password" prompt everywhere.

    The other changes have been deployed as of now.

  3. Log in to comment
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.