Invalidate session after email change

duderuud

duderuud

Well-known member
How to reproduce:

Multiple browsers on the same device

  1. Log in to your account from two different browsers.
  2. Change the email address in the settings from one browser.
  3. Without logging out, check the other browser.
  4. The session is "updated" instead of being invalidated.

Multiple computers

  1. Log in to your account from two separate computer systems.
  2. Change the email address in the settings from one computer.
  3. Without logging out, check the other computer.
  4. The session is "updated" instead of being invalidated.

Please invalidate the session after an email change to enhance security.
 
Upvote 1

Similar threads

A
  • Question Question
XF 2.2 Deleting an email address - can member still log in?
Replies
5
Views
160
Alvin63
A
duderuud
  • Suggestion Suggestion
Change password reset messages
Replies
0
Views
307
duderuud
duderuud
Ludachris
  • Question Question
XF 2.2 Question about the 2FA process in XF
Replies
1
Views
920
Kirby
K
I
"Security error occurred" dialog when IP address changes
Replies
8
Views
1K
digitalpoint
digitalpoint
TimePiloteer
Not a bug "The active user has changed" message when navigating to forums via email notification links
Replies
1
Views
877
Jeremy P
Jeremy P
Top Bottom