RSS Feed/News Invalidate Session on 2FA Activation/Change

Status
Not open for further replies.
ENXF NET

ENXF NET

Administrator
Staff member
Administrator
Moderator
+Lifetime VIP+
S.V.I.P.S Member
S.V.I.P Member
V.I.P Member
Collaborate
Registered
Joined
Nov 13, 2018
Messages
20,120
Points
823

Reputation:

It seems like it's best-practise to invalidate other sessions on 2FA activation/change ([1], [2]). At the moment, XenForo seems to invalidate other sessions on password change but not on 2FA activation/change.

The scenario goes like this:
  1. Log in to the same account with two different browsers
  2. Enable 2FA in one of the logged-in sessions
  3. Observe that the other browser's session remains active
This has been reported to us via email (with the unfortunately common...

Read more

Continue reading...
 
Status
Not open for further replies.
Top