Note on classification: not sure if this belongs in web or iOS, as dev work to fix would likely extend across both.
Actual: I changed the password for my account online through the website, but the app still authenticates successfully on relaunch without requiring the new password.
Expected: After changing password for the account, would expect to the ‘signed out.’ Maybe not hard flushed out of the mobile app, but I would expect that the next server communication would trigger a re-auth and ask for the new password. This did not happen, and I had to log out manually and log back in with the new password in order to get a new token.
What?: There are a few reasons why it is preferable for a password change to log out all sessions.
-
For security reasons: minimize liability after a password change (any account status change effectively becomes a new account with new permissions, isolating failures).
-
For practical reasons: that auth token is going to expire someday, and the user is going to have to type their new password in - might as well make them do it now when it’s clear why they have to, and not pop up a frustration later to serve as a trigger for techno angst.
-
And for personal reasons, to manage my anxiety. I know that login prompt is going to pop up later and I’m going to forget and it’s going to be 11:30pm and I’m going to be desperate to do my daily streak and if I’d forgotten to log out and back in, who knows, that could have been me.
(Realistically, since the app was working just fine, I would expect that the prompt will showup whenever the original authentication token is set to expire, probably a few days, maybe a few hours? Unless the device is just perma-trusted after the first login. Which – I mean I’m pretty sure those identifiers are spoofable so that would be pretty bad from a security standpoint.)
Anyway this is not that big a deal and may be a decent amount of work, who knows, just wanted to say my piece for account security and suggest a better practice. I mostly use memrise through the app but thanks for the super helpful app & website! I’m a big fan. Cheers.