User retains active session after its password is changed by an admin
Article Number: 000021604
Environment
- Rancher 2.8.x
- Rancher 2.9.x
Situation
If an admin changes the password of a user while said user has an active session, the user can continue to use its session without needing to re-login.
This scenario results on any active session for that user to remain active, even though the password has changed. If the password change was triggered due to the account being compromised, the administrator has no way to invalidate the active sessions, therefore the malicious user retains access until their session expires.
Resolution
Admins can delete session tokens for that particular user themselves.
kubectl get token \
-o custom-columns=":metadata.name" \
-l authn.management.cattle.io/kind=session,authn.management.cattle.io/token-userId=<user name> \
| xargs kubectl delete token
The manual remediation above force user sessions to be invalidated, for both local auth and external auth providers.