Describe the bug
Enabling MFA invalidates current session to force the user to login again, this time with his MFA of choice. If the user has other active sessions those sessions will still remain active. This is problematic, as it's possible to disable previously enabled MFA from those sessions (or do anything that a logged in user can do, at least until the session expires) without the need to provide otherwise required one time password/keys/wallets etc.
To Reproduce
Steps to reproduce the behavior:
- Have at least 2 sessions active
- Enable MFA on one of the sessions, this session will be invalidated afterwards
- Observe that the second session is still active
Expected behavior
Enabling MFA should invalidate all sessions of a user.
Describe the bug
Enabling MFA invalidates current session to force the user to login again, this time with his MFA of choice. If the user has other active sessions those sessions will still remain active. This is problematic, as it's possible to disable previously enabled MFA from those sessions (or do anything that a logged in user can do, at least until the session expires) without the need to provide otherwise required one time password/keys/wallets etc.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Enabling MFA should invalidate all sessions of a user.