Terminate other sessions on credential changes

Summary: Fixes T5509. Currently, existing sessions live on even if you change your password. Over the course of the program, we've recieved a lot of HackerOne reports that sessions do not terminate when users change their passwords. I hold that this isn't a security vulnerability: users can explicitly manage sessions, and this is more general and more powerful than tying session termination to password resets. In particular, many installs do not use a password provider at all (and no researcher has reported this in a general, application-aware way that discusses multiple authentication providers). That said, dealing with these false positives is vaguely time consuming, and the "expected" behavior isn't bad for users, so just align behavior with researcher expectations: when passwords are changed, providers are removed, or multi-factor authentication is added to an account, terminate all other active login sessions. Test Plan: - Using two browsers, established multiple login sessions. - In one browser, changed account password. Saw session terminate and logout in the second browser. - In one browser, removed an authentication provider. Saw session terminate and logout in the second browser. - In one browser, added MFA. Saw session terminate and logout in the second browser. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T5509 Differential Revision: https://secure.phabricator.com/D10135
2024-11-10 08:52:39 +01:00 · 2014-08-04 12:04:35 -07:00 · 2014-08-04 12:04:35 -07:00 · 95eeffff7e
commit 95eeffff7e
parent e56dc8f299
4 changed files with 65 additions and 1 deletions
--- a/src/applications/auth/controller/PhabricatorAuthUnlinkController.php
+++ b/src/applications/auth/controller/PhabricatorAuthUnlinkController.php
@ -57,6 +57,11 @@ final class PhabricatorAuthUnlinkController

    if ($request->isDialogFormPost()) {
      $account->delete();
+
+      id(new PhabricatorAuthSessionEngine())->terminateLoginSessions(
+        $viewer,
+        $request->getCookie(PhabricatorCookies::COOKIE_SESSION));
+
      return id(new AphrontRedirectResponse())->setURI($this->getDoneURI());
    }

@ -130,7 +135,11 @@ final class PhabricatorAuthUnlinkController
    $dialog = id(new AphrontDialogView())
      ->setUser($this->getRequest()->getUser())
      ->setTitle($title)
-      ->appendChild($body)
+      ->appendParagraph($body)
+      ->appendParagraph(
+        pht(
+          'Note: Unlinking an authentication provider will terminate any '.
+          'other active login sessions.'))
      ->addSubmitButton(pht('Unlink Account'))
      ->addCancelButton($this->getDoneURI());

--- a/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
+++ b/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
@ -250,6 +250,43 @@ final class PhabricatorAuthSessionEngine extends Phobject {
  }


+  /**
+   * Terminate all of a user's login sessions.
+   *
+   * This is used when users change passwords, linked accounts, or add
+   * multifactor authentication.
+   *
+   * @param PhabricatorUser User whose sessions should be terminated.
+   * @param string|null Optionally, one session to keep. Normally, the current
+   *   login session.
+   *
+   * @return void
+   */
+  public function terminateLoginSessions(
+    PhabricatorUser $user,
+    $except_session = null) {
+
+    $sessions = id(new PhabricatorAuthSessionQuery())
+      ->setViewer($user)
+      ->withIdentityPHIDs(array($user->getPHID()))
+      ->execute();
+
+    if ($except_session !== null) {
+      $except_session = PhabricatorHash::digest($except_session);
+    }
+
+    foreach ($sessions as $key => $session) {
+      if ($except_session !== null) {
+        if ($except_session == $session->getSessionKey()) {
+          continue;
+        }
+      }
+
+      $session->delete();
+    }
+  }
+
+
 /* -(  High Security  )------------------------------------------------------ */


--- a/src/applications/settings/panel/PhabricatorSettingsPanelMultiFactor.php
+++ b/src/applications/settings/panel/PhabricatorSettingsPanelMultiFactor.php
@ -198,6 +198,13 @@ final class PhabricatorSettingsPanelMultiFactor

        $user->updateMultiFactorEnrollment();

+        // Terminate other sessions so they must log in and survive the
+        // multi-factor auth check.
+
+        id(new PhabricatorAuthSessionEngine())->terminateLoginSessions(
+          $user,
+          $request->getCookie(PhabricatorCookies::COOKIE_SESSION));
+
        return id(new AphrontRedirectResponse())
          ->setURI($this->getPanelURI('?id='.$config->getID()));
      }
--- a/src/applications/settings/panel/PhabricatorSettingsPanelPassword.php
+++ b/src/applications/settings/panel/PhabricatorSettingsPanelPassword.php
@ -116,6 +116,10 @@ final class PhabricatorSettingsPanelPassword
          $next = $this->getPanelURI('?saved=true');
        }

+        id(new PhabricatorAuthSessionEngine())->terminateLoginSessions(
+          $user,
+          $request->getCookie(PhabricatorCookies::COOKIE_SESSION));
+
        return id(new AphrontRedirectResponse())->setURI($next);
      }
    }
@ -177,6 +181,11 @@ final class PhabricatorSettingsPanelPassword
        ->setLabel(pht('Best Available Algorithm'))
        ->setValue(PhabricatorPasswordHasher::getBestAlgorithmName()));

+    $form->appendRemarkupInstructions(
+      pht(
+        'NOTE: Changing your password will terminate any other outstanding '.
+        'login sessions.'));
+
    $form_box = id(new PHUIObjectBoxView())
      ->setHeaderText(pht('Change Password'))
      ->setFormSaved($request->getStr('saved'))
@ -187,4 +196,6 @@ final class PhabricatorSettingsPanelPassword
      $form_box,
    );
  }
+
+
 }