Log in

No account? Create an account
15 March 2017 @ 06:04 am
Sign out user from all browsers when password change?  
When user changes a password on a web site - does web site have to expire all authentication cookies of that web site that that user has in all browsers?

I noticed that if I signed in to Gmail from two browsers, and then change password in one of these browsers, then Gmail still allows me to browse email in another browser.
However it also shows red message that functionality is limited due to password change and gives a sing in link.

Is it important from security perspective to end old user's sessions ASAP?
krechkrech on May 6th, 2017 10:48 pm (UTC)
Are gmail allow to browse email when your "another" browser still open, or also after you close this browser and open again?
Dennis Gorelikdennisgorelik on May 7th, 2017 02:37 am (UTC)
Yes: gmail allows to browse the same email inbox from two browser tabs simultaneously.
Why do you ask?
krechkrech on May 9th, 2017 11:30 pm (UTC)
I mean, there is some diference how they let in - by using session which was open before password's change, or by permanent cookies, which was set before password change.

But, either way, they should'nt. User can loose device with already running browser.
Dennis Gorelikdennisgorelik on May 10th, 2017 02:56 am (UTC)
When I tried to change password on my gmail account in one session, another gmail session kept working (at least somewhat), but started showing red message that password changed and some functionality may be not available.
That red message disappeared after I signed in again.