MM-918 [WIP]: Invalidate all user sessions after password change

[jnsereko]

This issue is still in development :
Every time a user changes his/her password, so long as he/she has not clicked the logout link, he/she can still login using his/her previous password.

cc @isears @sherrif10 @ibacher @dkayiwa

[ibacher]

Does this forcibly log the user out? (I don't think that's desirable behaviour)

[jnsereko]

Does this forcibly log the user out?

Yes @ibacher The user is forcefully logged out. Thank you

[jnsereko]

maybe i should remove line 115 and add the code below to logout the user using the context so that he is redirected to the login screen. What is the better option?

 Context.logout();
 request.getSession().invalidate();
 request.getSession().setAttribute("manual-logout", "true");

[ibacher]

I mean, the real ideal would be if there's a way for a user to change their password and have the session continue uninterrupted, but, yeah, if we're going to log the user out, maybe just do the whole thing. We could even add a redirect to the login page here?

[jnsereko]

I came across this when i was trying to find out why different sessions exist after a password change.

Before:

06.08.2021_17.56.19_REC.mp4

After:

06.08.2021_17.45.47_REC.mp4

[ibacher]

@jnsereko Thanks for the videos. So it looks like we're logging the user out anyways, I suppose we might as well continue with that behaviour.

[jnsereko]

So it looks like we're logging the user out anyways,

@ibacher I think, it would be better this way. Thank you so much
@isears

[isears]

Thanks @jnsereko

I also think it would be a good idea to redirect to login after a password change, if that doesn't already happen automatically.

Also, let's try to take this one step further and invalidate all the user's active sessions (e.g. on different browsers, or on different devices) on a password change. Do you think you can incorporate any of the ideas from this PR: openmrs/openmrs-module-webservices.rest#486 ?

[jnsereko]

Hey @isears @ibacher. Thanks for the review

I also think it would be a good idea to redirect to login after a password change,

My own worry is that after password change, I wanted to display a successful password change message. If the user is redirected to the login, will it be possible for us to display that successful password message? I tried it but it failed.

Do you think you can incorporate any of the ideas from this PR: openmrs/openmrs-module-webservices.rest#486 ?

This is really helpful @isears, thank you

[jnsereko]

I have added some changes but this PR depends on openmrs/openmrs-module-legacyui#171

cc @ibacher @sherrif10 @isears

[ibacher]

@jnsereko If this depends on something in the legacyui, that's an argument to move it into core.

[jnsereko]

so this fix corrects two bugs:

• Invalidate all user sessions on password change: If user is logged in from different devices or browsers, all his sessions will be invalidated
• Authentication bug on password change: A user could login with previous password after password change. This was because an old session existed in the system that allowed login with old credentials.

session.invalidation.mp4

cc @ibacher @dkayiwa