To give you context, one of my colleague has her account used by somebody we didn’t know. Maybe she gave her account details to someone due to some urgency – but now she has reset her password. My question is, does your system invalidate all existing sessions tied to the account upon password reset? Our current expectation is that all existing sessions will be logged out automatically.
We don’t log out / expire all sessions in case of a password change, but the previous sessions will no longer renew.
Practically this means that you should log out and log in in your browser after changing the password, that will make all previous sessions as “non renewing”. Sessions right now are valid for 3 days, once those sessions expire that user will be prompted to sign in again (the session will not renew).
That said, please do not share your user login with anyone. You can grant access to other users and you can revoke those rights any time. If possible please also enable two factor authentication.
Thanks for the answer. Thankfully, one of our colleagues were the one using the account. In the case of actual account / credential breach, Would it make sense to immediately expire all active sessions upon password reset? My concern is that with your 3 days policy, I think it’s plenty enough time to download all the provisioning profiles, secret vars, etc.
To be honest simply reducing this time frame usually won’t matter at all, as if you grant access to someone else those files will most likely be downloaded before you would reset your password.
That said, as security is really important for us, we’re definitely thinking (and working) on related features, but in addition to forceful session expiry/revocation notification (email) on sign in would also help a lot (e.g. an email that someone signed in with your account).
We’ll try to do our best to provide these and additional security related features, in the meantime please activate two-factor authentication for your account and do not share user logins! If you share your login with someone else we simply can not prevent that user to sign in to your account, as you shared all the required login information. Two factor authentication can still help to some extent.
Don’t get me wrong, I definitely agree with you @dvdchr-tvlk, I just think simply shortening the session timeout wouldn’t be the best solution.
If you have some time feel free to create a #feature-request for e.g. the “email notification on login” feature, and any other one you might want; even if those are in our roadmap #feature-request s definitely help us prioritize things, and to notify you once it’s available