ActiveCampaign Forum

All Active user sessions should be destroyed when user change his password!


#1

Hello there,

There is an user sessions issue on your application that should be fixed.

Steps to reproduce the bug :
Step 1 : Go to Browser A at and login with your credentials at https://www.activecampaign.com/login/ and login with your credentials.

Step 2 : Similarly, Go to Browser B at and login with your same credentials at https://www.activecampaign.com/login and login with your credentials.

Step 3 : Suppose Browser B is an shared computer’s browser, and you left your account logged in at that computer. Go to Browser A and change your account
password.

Step 4 : When you change your account password at Browser A , the session at Browser B should expire and the account should automatically logged out.

Step 5 : Go to Browser B , and visit your account page and refresh the page.

You will notice that even after changing the account password at Browser A , the session at Browser B didn’t expired which can cause major problems. And also after that i can change user information

Thanks

Impact
Authentication and session management includes all aspects of handling user authentication and managing active sessions. Authentication is a critical aspect of this process, but even solid authentication mechanisms can be undermined by flawed credential management functions, including password change, forgot my password, remember my password, account update, and other related functions. Because “walk by” attacks are likely for many web applications, all account management functions should require reauthentication even if the user has a valid session id.


#2

Hi there,

Thanks for bringing this to our attention. Please know that we take this feedback seriously and looking into this immediately.


#3

Any update about this issue ?


#4

Hey any update ?
Hey


#5

Hi @rebelliousbd

A fix for this has been implemented and you should no longer be seeing this bug.

Thanks!


#6

Yeah it’s fixed.
Any reward or bounty ?


#7

As a OWASP Top 10 bug