Help Center

Improved

Newsletter

Product suite

Support suite

💡 Share your ideas

feedback

Report any issues or something not working as expected

Request changes to your billing, invoices, or subscription

In Review

Awaiting clarification

Planned

ASAP

Waiting on customer

Investigating

In Progress

Partially Completed

Beta

Already exists

Completed

Canceled

Follow the development progress of our entire platform.

Next up

Done

Universal Roadmap

Follow the development progress of our Support platform:

Backlog

Support Roadmap

Follow the development progress of our Feedback product:

Feedback Roadmap

Follow the development progress of our Help Center product:

Help Center Roadmap

Follow the development progress of our Changelog product:

Changelog Roadmap

Follow the development progress of our Survey product:

Survey Roadmap

Follow the development of our integrations:

Integrations

Please tell us what we can do to make Featurebase the best product for you.

Share your product feedback!

Hey {name|there}! 👋

The application fails to invalidate existing active sessions upon a password change event. When a user changes their password in one session, other concurrent sessions (on different browsers or devices) remain active. This violates secure session management best practices (OWASP) and prevents a compromised user from effectively locking out an attacker. 

Steps to Reproduce:
1. Log in to Browser A.
2. Log in to Browser B.
3. Change password in Browser A.
4. Browser B session remains active.

Expected Behavior: All other active sessions should be immediately terminated, forcing the user to re-authenticate with the new password.

Featurebase

Lack of Session Invalidation After Password Change

Subscribe to post

Subscribe to post