Expire user's valid session/tokens after admin deleteing user or changing user's password

## Description
When the admin deletes the user or changes the user's password, the user's current valid session/token has not expired, leading to the old session/token still being valid.
This would lead to CWE-613 insufficient session expire weakness.

---
## Attack Example
1. admin login, user1 login;
2. admin delete user1 or changing user1's password to default;
3. user1 can still operate with the old session/token which should be expired.

---
## Deleting user by admin
https://github.com/TaleLin/lin-cms-spring-boot/blob/3fc25bd8c10c73db2e7230809b322127eac554e3/src/main/java/io/github/talelin/latticy/controller/cms/AdminController.java#L71-L77




---
## Changing password
https://github.com/TaleLin/lin-cms-spring-boot/blob/3fc25bd8c10c73db2e7230809b322127eac554e3/src/main/java/io/github/talelin/latticy/controller/cms/AdminController.java#L63-L69

https://github.com/TaleLin/lin-cms-spring-boot/blob/3fc25bd8c10c73db2e7230809b322127eac554e3/src/main/java/io/github/talelin/latticy/controller/cms/UserController.java#L125-L130

https://github.com/TaleLin/lin-cms-spring-boot/blob/3fc25bd8c10c73db2e7230809b322127eac554e3/src/main/java/io/github/talelin/latticy/service/impl/UserIdentityServiceImpl.java#L55-L61

	@AdminRequired
	@DeleteMapping("/user/{id}")
	@PermissionMeta(value = "删除用户", mount = false)
	public DeletedVO deleteUser(@PathVariable @Positive(message = "{id.positive}") Integer id) {
	adminService.deleteUser(id);
	return new DeletedVO(5);
	}

	@AdminRequired
	@PutMapping("/user/{id}/password")
	@PermissionMeta(value = "修改用户密码", mount = false)
	public UpdatedVO changeUserPassword(@PathVariable @Positive(message = "{id.positive}") Integer id, @RequestBody @Validated ResetPasswordDTO validator) {
	adminService.changeUserPassword(id, validator);
	return new UpdatedVO(4);
	}

	@PutMapping("/change_password")
	@LoginRequired
	public UpdatedVO updatePassword(@RequestBody @Validated ChangePasswordDTO validator) {
	userService.changeUserPassword(validator);
	return new UpdatedVO(4);
	}

	public boolean changePassword(Integer userId, String password) {
	String encrypted = EncryptUtil.encrypt(password);
	UserIdentityDO userIdentity = UserIdentityDO.builder().credential(encrypted).build();
	QueryWrapper<UserIdentityDO> wrapper = new QueryWrapper<>();
	wrapper.lambda().eq(UserIdentityDO::getUserId, userId);
	return this.baseMapper.update(userIdentity, wrapper) > 0;
	}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Expire user's valid session/tokens after admin deleteing user or changing user's password #333

Description

Attack Example

Deleting user by admin

Changing password

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Expire user's valid session/tokens after admin deleteing user or changing user's password #333

Description

Description

Attack Example

Deleting user by admin

Changing password

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions