vinpkl — 2012-10-08T08:36:18-04:00 — #1
Do you make your clients auto logout immediately after they change password ??
kduv — 2012-10-08T09:54:23-04:00 — #2
That's really your choice. How do you want your site to work?
jestep — 2012-10-08T10:55:42-04:00 — #3
What would the benefit, security or otherwise, for forcing a re-login? They've already authenticated, so it seems like an unnecessary inconvenience under normal circumstances.
felgall — 2012-10-08T16:48:10-04:00 — #4
I can't see any benefit in forcing them to enter the new password a third time straight after entering it the first two times.
I do require that the old password be re-entered when entering a new password even though they are already logged in - so as to prevent someone else changing their password if they leave the session unattended.
tomb — 2012-10-09T05:13:08-04:00 — #5
I agree. I also think it's a good idea to force a password entry to update their email address. Otherwise someone could change the email address and then use 'Forgot password' to reset it, gaining access to the account without ever knowing the password.
system — 2012-10-09T05:42:07-04:00 — #6
I want the php code for clients auto logout immediately after they change password
logic_earth — 2012-10-09T06:05:44-04:00 — #7
Everyone would want a lot of things, but we rarely get them when we demand. Please see: Manners.
lemon_juice — 2012-10-09T18:01:22-04:00 — #8
Not on the computer (session) they have just entered the new password. But if I have an auto-login feature - a "remember me" checkbox so that the user's session cookie is stored for a longer period of time on his computer then there may be a situation where he has open sessions on many computers. After changing his password I always invalidate all those sessions except the current one. I think this is important if someone changes their password because of unauthorised access suspicion - they will want to be sure that no one can access their account without entering the new password first.