changelogs/unreleased/security-214-dblessing-revoke-session-on-pw-change.yml · e3a32eb51b8907dd8ccf4b90fc51c82c0b00f306 · nexedi / gitlab-ce

Invalidate two factor sign-in when user password changes · 01f8245c

Drew Blessing authored Aug 04, 2020

Currently, when a user's password changes between signing in with their
password and providing the 2FA code/U2F GitLab successfully allows the
user to sign-in. GitLab should invalidate the sign-in process when
this happens. This change invalidates the sign-in process when the
user updated_at attribute changes between the two phases of sign-in.

01f8245c

security-214-dblessing-revoke-session-on-pw-change.yml 106 Bytes

Replace security-214-dblessing-revoke-session-on-pw-change.yml