[SECURITY] Destroy sessions on password change
On DataHandler update or when updating a users password via EXT:felogin, all existing sessions are destroyed except for the current session. Resolves: #87298 Releases: master, 9.5, 8.7 Security-Commit: df7c0dbcf73be20e5ae9d4cf03b82c8326c9fccc Security-Bulletin: TYPO3-CORE-SA-2019-011 Change-Id: Iff673d2ab774dde0f116c4bc9040d40374492a7a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60704 Tested-by:Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Showing
- typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php 11 additions, 0 deletions...ore/Classes/Authentication/AbstractUserAuthentication.php
- typo3/sysext/core/Classes/Hooks/DestroySessionHook.php 58 additions, 0 deletionstypo3/sysext/core/Classes/Hooks/DestroySessionHook.php
- typo3/sysext/core/Classes/Session/SessionManager.php 27 additions, 0 deletionstypo3/sysext/core/Classes/Session/SessionManager.php
- typo3/sysext/core/Documentation/Changelog/8.7.x/Important-87298-DestroySessionsOnPasswordChange.rst 48 additions, 0 deletions...8.7.x/Important-87298-DestroySessionsOnPasswordChange.rst
- typo3/sysext/core/Tests/Functional/Session/SessionManagerTest.php 92 additions, 0 deletions...sext/core/Tests/Functional/Session/SessionManagerTest.php
- typo3/sysext/core/ext_localconf.php 2 additions, 0 deletionstypo3/sysext/core/ext_localconf.php
- typo3/sysext/felogin/Classes/Controller/FrontendLoginController.php 14 additions, 0 deletions...xt/felogin/Classes/Controller/FrontendLoginController.php
Please register or sign in to comment