Question

No session expiration after password change

1

We have observed that after changing our password, the session identifier stays the same. In doing so, when an adversary has access to the current session identifier, he will manage to maintain an active session. How can I enforce this?

asked 2021-08-09

Annick Dhooge

1 answers

Rom van Arendonk · Answer 1 · 2021-08-09

Although I disagree with the premise of your question, sometimes we have to implement functionality to be compliant with (security) frameworks: I've built something like this in the past.

My first suggestion is to try the native Mendix route: when a user changes his password, retrieve all sessions of that user from the database and delete them. I haven't tested this approach, but this should work.

Alternatively, when a user changes his password, destroy all of his sessions by executing the following Java code.

		Collection<? extends ISession> iSessions = Core.getActiveSessions();
		for (ISession iSession : iSessions) {
			if (iSession.getUserName().equals(userName)) {
				iSession.destroy();	
			}
		}
		// END USER CODE

NB: in the Java code above, you should have an input parameter userName, which is a String filled with the value of $currentUser/Name.

In both of these cases, since the session is destroyed server side, the user will not notice anything until he performs another action. I would suggest using the URL Redirector widget to redirect the user back to /index.html of your app.