Welcome Guest. Please Login or Register  


You are here: Index > Webuzo > Suggestions > Topic : Security - close all active session when admin change password



Threaded Mode | Print  

 Security - close all active session when admin change password (4 Replies, Read 11779 times)
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
For security reason when admin change password in Webuzo all previous session must be closed!

Imagine password can be discovered by someone. If they are already in webuzo and we change password hacker already can do bad things.

Actually when admin change password other open session is not invalided. User see the message the password of webuzo has been changed and if press OK simply the system do the logout only in this session. This no have sense.

You can remove logout function when user press ok. What is the function to logout the admin after password change if all previous open session also from other PC still be valid?

Intact if you change admin password , don't click on ok in the confirmation windows message and click in the webuzo logo you will not be logged out because all old session from all other PC are still valid.

This should be fixed.. when admin change password also all other PC open instance must be closed.


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Security - close all active session when admin change password
valley
Group: Webuzo Team
Post Group: Super Member
Posts: 1644
Status:
When you change the password in Webuzo, you are logged out of the control panel.
Could you share a screenshot ?

-----------------------
Webuzo : Single User Control Panel
Join Webuzo :
Facebook
Twitter

IP: --   

Security - close all active session when admin change password
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
You are logged out only in local PC.
If you have open access on other PC session still be valid.

Infact if you change the password and when you see confirmation message NOT press OK but press Webuzo Logo you will stay logged in.

I think is needed a variable where webuzo memorize for example now password are 01AsdEr (random string) session and this is leaved in the cookie.
If cookie string is the same in webuzo then login is valid.

If is not the same login will be no valid.
When admin user change the password this string should change with new one in webuzo so if some one is logged from other PC and try to do action after password change the session will not be valid as the cookie string is no more the same into webuzo.

Now if someone is logged in from other PC and you change the password for security other user will be able to do what he want until they not close the browser or let session expire.

All opened session should be invalid after change of the password.


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Security - close all active session when admin change password
valley
Group: Webuzo Team
Post Group: Super Member
Posts: 1644
Status:
We shall reproduce the issue and resolve it soon.

-----------------------
Webuzo : Single User Control Panel
Join Webuzo :
Facebook
Twitter

IP: --   

Security - close all active session when admin change password
alons
Group: Administrator
Post Group: Super Member
Posts: 2280
Status:
Hi,

We will add this in the next upcoming version.

Thanks for the suggestion.

-----------------------
For immediate support please email us at our Support email address. PMs sent to any Softaculous Team member or posting in the forums is not the official way to get support.

Virtualizor - The Next Generation VPS Panel
Webuzo - It is Softaculous Standalone for Enterprises, SMB, Developers. Deploy it on Dedicated Servers, VPS, Virtual Appliances or the Cloud
Pinguzo - Server and Domain Monitoring tool
PopularFX - Marketplace of WordPress, Drupal, Joomla, Bootstrap themes
Remote Installer - Use Softaculous over FTP/FTPS/SFTP
IP: --   

« Previous    Next »

Threaded Mode | Print  



Jump To :


Users viewing this topic
1 guests, 0 users.


All times are GMT. The time now is March 19, 2024, 11:36 am.

  Powered By AEF 1.0.8 © 2007-2008 Electron Inc.Queries: 11  |  Page Created In:0.024