This repository has been archived by the owner on Aug 29, 2023. It is now read-only.
Password change doesn't require re-authentication #41
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
A logged in user is capable of changing his/her password without re-authentication.
This makes it possible to take over accounts and locking out the legitimate user when other security issues exists (Session Cookie hijacking, CSRF, XSS, etc...), or if the user forgot to log out.
Good practice is to re-authenticate password changes to have a layered security approach.
The text was updated successfully, but these errors were encountered: