[Security] change password must invalidate existing session #3904
Description
Describe the Bug
[email protected] (hosted)
Following NextJs CVE 10/10 compromise,
I updated docker compose, change portal & pgsql password
on portal I was surprised to stay connected as admin
Expected >
For security reason, on password change, existing session must be revoked.
If attacker steal my instance and keep a valid session on his side, the session is still ok for him after passwod change on my side.
As workaround > ? truncate session data? (session collection seems to be related to analytics not umami portal)
regards 🙏