Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #31307
Closed
Open
Issue created Aug 27, 2019 by GitLab SecurityBot@gitlab-securitybotReporter

Previously created sessions remain active after activating 2FA

HackerOne report #676772 by xanbanx on 2019-08-19, assigned to jmatos_bgtvf:

Summary

I found a security problem related to your 2FA implementation. GitLab does not purge user sessions when 2FA gets activated. Instead, they are kept alive without 2FA ever was needed for them.

Steps to reproduce

  1. Create 2 session on two devices now named session A and B
  2. On session A, go to the user settings and activate 2FA
  3. On session B, reload the page. Session B is still active although it was not logged in with 2FA and can use GitLab normally.

Impact

Sessions without 2FA are kept alive when 2FA gets activated. So these sessions are still usable although 2FA was activated.

Examples

This happens on gitlab.com

What is the current bug behavior?

Older sessions are kept active when 2FA gets activated.

What is the expected correct behavior?

When 2FA gets activated, all older sessions should be purged forcing them to re-login with 2FA.

Impact

See above.

Assignee
Assign to
Time tracking