on our web-store (Java, Hybris) a user has an opportunity to change a password. According to the best vulnerability practice should we change SessionId or leave the old one or maybe create a new Session? What is the best solution?
Asked
Active
Viewed 606 times
1 Answers
1
A User want to reset the password when
- Suspects account compromise
- Routinely changes the password thinking of security practice or force by the system policy
I would suggest to logout all the current user sessions on the password reset. Also, it's a good idea to implement a mechanism to confirm the user's identity like secure code SMS/email, reset password link over email, etc. Which distinguishes between the legitimate user and an attacker.
Yes, it may not be a good user experience.
Read a more detailed answer.
HybrisHelp
- 5,518
- 2
- 27
- 65