Skip to content

Commit 651b043

Browse files
committed
[SECURITY] Destroy user sessions on password change
1 parent cf6cfdb commit 651b043

2 files changed

Lines changed: 11 additions & 1 deletion

File tree

Classes/Service/FrontendUserService.php

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@
1414
use TYPO3\CMS\Core\Context\Context;
1515
use TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashFactory;
1616
use TYPO3\CMS\Core\Database\ConnectionPool;
17+
use TYPO3\CMS\Core\Session\SessionManager;
1718
use TYPO3\CMS\Core\Utility\GeneralUtility;
1819

1920
/**
@@ -110,6 +111,15 @@ public function updatePassword(string $newPassword)
110111

111112
// Unset reason for password change in user session
112113
$this->getFrontendUser()->setKey('ses', self::SESSION_KEY, null);
114+
115+
// Destroy all sessions of the user except the current one
116+
$sessionManager = GeneralUtility::makeInstance(SessionManager::class);
117+
$sessionBackend = $sessionManager->getSessionBackend('FE');
118+
$sessionManager->invalidateAllSessionsByUserId(
119+
$sessionBackend,
120+
(int)$this->getFrontendUser()->user['uid'],
121+
$this->getFrontendUser()
122+
);
113123
}
114124

115125
/**

ext_emconf.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
'state' => 'stable',
1111
'uploadfolder' => '0',
1212
'clearCacheOnLoad' => 0,
13-
'version' => '2.0.4',
13+
'version' => '2.0.5',
1414
'constraints' => [
1515
'depends' => [
1616
'typo3' => '9.5.0-10.4.99',

0 commit comments

Comments
 (0)