Open Closed

Change Password Force Fully Logout Other sessions of that user #6750


User avatar
0
dipak.z created
  • ABP Framework version: v5.2.1
  • UI Type: MVC
  • Database System: EF Core ( PostgreSQL)
  • Tiered (for MVC) or Auth Server Separated (for Angular): no
  • Exception message and full stack trace:
  • Steps to reproduce the issue:

-> When User Change Own Password then another sessions of that user force fully logout(this issue show in vulnerability tool report.)


3 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can try to set ValidationInterval of SecurityStampValidatorOptions. The default is 30 minutes.

    If this value is too small, it may affect performance.

    https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.identity.securitystampvalidatoroptions.validationinterval?view=aspnetcore-8.0

  • User Avatar
    0
    dipak.z created

    Any other way because portal is too slow when i put 1 minute

    i have to solve because its show as vulnerability.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    There is no good solution, we can only periodically check in the request if the user has changed the password.

    You can override the SecurityStampValidator.ValidatePrincipalAsync method to validate it yourself in other ways.

    https://github.com/dotnet/aspnetcore/blob/release/8.0/src/Identity/Core/src/SecurityStampValidator.cs#L129-L163

Made with ❤️ on ABP v9.1.0-preview. Updated on December 13, 2024, 06:09