Insecure session management - Change Password - PHP

Insecure session management - Change Password - PHP

Need

Secure session management after password change

Context

  • Usage of PHP 7.0 for server-side scripting and web development
  • Usage of Request for making HTTP requests in Node.js
  • Usage of Auth for user authentication and authorization
  • Usage of Hash for secure password hashing and data encryption

Description

Non compliant code

        public function changePassword(Request $request) {
    $user = Auth::user();
    $validatedData = $request->validate([
        'old_password' => 'required',
        'new_password' => 'required|min:6',
    ]);

    if (!Hash::check($validatedData['old_password'], $user->password)) {
        return redirect()->back()->withErrors(['old_password' => 'Old password is incorrect']);
    }

    $user->password = Hash::make($validatedData['new_password']);
    $user->save();

    return redirect()->back()->with('message', 'Password successfully changed');
}

The above code is a method in a Laravel controller that handles password changes for the authenticated user. The user's current password is checked against the hashed password stored in the database. If the password is correct, the new password is hashed and saved in the user's record.

However, the vulnerability lies in the fact that the user's session is not invalidated or regenerated after the password change. This means that if an attacker had previously hijacked the user's session, they would still have access to the user's account even after the password has been changed. This is a security risk as it allows for potential unauthorized access and actions on the user's account.

Steps

  • Add a method to invalidate the current session after the password change.
  • This can be done by using the 'logout' method provided by the Auth facade in Laravel.
  • After the password has been successfully changed and saved, call the 'logout' method to invalidate the current session.
  • Then, redirect the user to the login page where they can log in with their new password.
  • This ensures that if an attacker had access to the old session, they would be immediately logged out when the password is changed.

Compliant code

        public function changePassword(Request $request) {
    $user = Auth::user();
    $validatedData = $request->validate([
        'old_password' => 'required',
        'new_password' => 'required|min:6',
    ]);

    if (!Hash::check($validatedData['old_password'], $user->password)) {
        return redirect()->back()->withErrors(['old_password' => 'Old password is incorrect']);
    }

    $user->password = Hash::make($validatedData['new_password']);
    $user->save();

    // Invalidate the current session and log the user out
    Auth::logout();

    // Redirect the user to the login page
    return redirect()->route('login')->with('message', 'Password successfully changed. Please log in with your new password');
}

The updated code includes a fix for the insecure session management vulnerability. After the user's password is successfully changed, the current session is invalidated by calling the logout method from Laravel's Auth facade. This ensures that the user is logged out and any existing session is terminated, preventing potential unauthorized access with old session data.

After the session is invalidated, the user is redirected to the login page where they can log in with their new password. This is done using the redirect method with the named route 'login'. A flash message is also set using the with method, informing the user that their password has been successfully changed and they need to log in again.

This fix ensures that if an attacker had access to the old session, they would be immediately logged out when the password is changed, enhancing the security of the application.

References