Skip to content

User retains active session after its password is changed by an admin

Article Number: 000021604

Environment

  • Rancher 2.8.x
  • Rancher 2.9.x

Situation

If an admin changes the password of a user while said user has an active session, the user can continue to use its session without needing to re-login.

This scenario results on any active session for that user to remain active, even though the password has changed. If the password change was triggered due to the account being compromised, the administrator has no way to invalidate the active sessions, therefore the malicious user retains access until their session expires.

Resolution

Admins can delete session tokens for that particular user themselves.

kubectl get token  \
-o custom-columns=":metadata.name" \
-l authn.management.cattle.io/kind=session,authn.management.cattle.io/token-userId=<user name> \
| xargs kubectl delete token

The manual remediation above force user sessions to be invalidated, for both local auth and external auth providers.