Potential vulnerability: login, change password and OJS sessions

We have an OJS instance running at https://library.wur.nl/ojs
We received the following e-mail. We would like to know if this is a known security issue and if it will be fixed. (I couldn’t find info about it)

Kind regards,

Respected Sir,

I am a security researcher from India.

## Summary:

While conducting my research I discovered that the application Failure to invalidate session after changing the password doesn’t destroy the other sessions which are logged in with old passwords.

*## Vulnerable URL: https://library.wur.nl/ojs/index.php/frontis/login *

## Steps To Reproduce:

1) Open the same accounts in two different browsers
2) Change the password in one browser and you will see that another browser still validates the session after the password change (even after refreshing the page ).

## Impact

If the user login his account at some different person’s computer and forgot to log out. The person in which the system user has a login can access his/her account because the old session of the user at that person’s system is not going to expire if a user might change his password.


I say it can be considered as a security issue even though it’s more like a feature of an app . Now a days most of the modern apps and framework does provide this functionality. We have already implemented this feature/fix for the upcoming release version 3.4, see the details at https://github.com/pkp/pkp-lib/issues/6983 . But right now it’s not included in any of the stable releases .