ZanN.00544 (Customer) asked a question.
Website doesn't invalidate session after the password is reset which can enable attacker to continue using the compromised session.
Steps:
1) Open same accounts in two different browsers
2) Change password in one browser and you will see that another browser still validate the session after password change (even after refresh the page ).
What's Okta's guidance in addressing this issue?
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
If you suspect that an account has been compromised, you (as admin) can use the Clear User Sessions function to sign the user out of all active sessions, revoke Okta Mobile tokens, and revoke refresh tokens to force any OIDC and OAuth clients to re-request access. Clear User Sessions is under the More Actions menu on the user's profile page.
Thanks Mike but I am rather talking about the password reset initiated by any user in general... I don't think it's scalable to clear user session every single time through the Okta portal whenever a user changes his password.
You can write an Custom Event Hook for this. whenever the Password change event occurs, get the current userid who has changed the password, clear out all the sessions associated with that user. User will be redirected to login page automatically after that. I haven't tried this solution but I am sure this can be Implemented using Event hook API's.
Let me know if you need help how to use Event Hooks, I can provide some insight.
Hi Sandeep, this seems something I'm looking for. can you point me to the right direction for the Event Hooks you are talking about and also give some of your insights/ Thanks!
Event Hooks are the outbound calls from the OKTA server. when a specific event occurs in your okta organization OKTA event hooks takes the REST API call to your webservice. You need to create the webservice & host it internet facing. This means you need to write JAVA webservice & host it in your environment. Point your OKTA org to that webservice. The purpose of that webservice will be to reset/clear the user session whenever the password change event occurs. Use the Password change with in the OKTA as a trigger point to call the webservice. we have the password change Event available in the listed Events i.e. user.account.reset_password
https://developer.okta.com/docs/reference/api/event-types/?q=event-hook-eligible
More Info on the Event Hooks below.
https://developer.okta.com/docs/concepts/event-hooks/
I hope it helps.