Skip to content

User retains active session after its password is changed by an admin

This document (000021604) is provided subject to the disclaimer at the end of this document.

Environment

  • Rancher 2.8.x
  • Rancher 2.9.x

Situation

If an admin changes the password of a user while said user has an active session, the user can continue to use its session without needing to re-login.

This scenario results on any active session for that user to remain active, even though the password has changed. If the password change was triggered due to the account being compromised, the administrator has no way to invalidate the active sessions, therefore the malicious user retains access until their session expires.

Resolution

Admins can delete session tokens for that particular user themselves.

kubectl get token  \
-o custom-columns=":metadata.name" \
-l authn.management.cattle.io/kind=session,authn.management.cattle.io/token-userId=<user name> \
| xargs kubectl delete token

The manual remediation above force user sessions to be invalidated, for both local auth and external auth providers.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.