Blog | G5 Cyber Security

Change Password While Logged In

G5 Cyber Security

TL;DR

Changing a user’s password while they are actively logged in requires careful handling to avoid session invalidation or unexpected behaviour. The best practice is to use a temporary token-based approach, allowing the change to happen without immediately logging the user out. This guide details how to implement this securely.

Steps

  1. Generate a Unique Token: When the user initiates the password change process (e.g., clicks ‘Change Password’), create a unique, time-limited token.
    • This token should be stored server-side associated with the user’s session or account.
    • Use a cryptographically secure random number generator for token creation. Example using Python:
    import secrets
import time
token = secrets.token_hex(16)
expiry_time = int(time.time()) + 3600 # Token valid for 1 hour
# Store token and expiry_time associated with the user
  2. Redirect to Password Change Form: Redirect the user to a dedicated password change form, appending the token as a query parameter.

    Example URL: /change-password?token=your_generated_token

  3. Validate the Token on Form Submission: When the user submits the new password:
    • Retrieve the token from the query parameter.
    • Check if the token exists in your server-side storage.
    • Verify that the token hasn’t expired (compare against expiry_time).
    • If the token is invalid or expired, display an error message and prompt the user to restart the password change process.
  4. Update Password: If the token is valid:
    • Hash the new password using a strong hashing algorithm (e.g., bcrypt, Argon2). Never store passwords in plain text!
    • Replace the old password hash with the new one in your database.
  5. Invalidate the Token: Immediately after successfully updating the password, invalidate the token.

    This prevents it from being used again.

  6. Session Management (Important):
    • Avoid immediately invalidating the user’s session. This can cause a frustrating experience if they are in the middle of something.
    • Consider forcing a re-authentication on the next significant action (e.g., accessing sensitive data) or after a short grace period.
  7. Security Considerations:
    • Token Length: Use sufficiently long tokens to prevent brute-force attacks. 16 bytes (32 hexadecimal characters) is generally considered good.
    • HTTPS: Always use HTTPS to protect the token during transmission.
    • Rate Limiting: Implement rate limiting on password change requests to mitigate abuse.
    • Cross-Site Request Forgery (CSRF): Protect your password change form with CSRF tokens.
Exit mobile version