https://www.ory.sh/ logo
#talk-kratos
Title
# talk-kratos
l

lively-beard-47107

03/01/2022, 11:22 AM
Hi! Quick question. On the settings flow, when trying to change password, I’m seeing only the new password as a required parameter. Shouldn’t there be a validation where the user should also provide the current password?
p

proud-plumber-24205

03/02/2022, 5:18 PM
Hi @User No, since we require you to have a session already (which means you have already proven your identity). Also you can set how long this session should be before Kratos would require the user to sign in again to validate their identity before allowing any profile updates. https://www.ory.sh/docs/kratos/self-service/flows/user-settings#updating-privileged-fields
l

lively-beard-47107

03/02/2022, 5:22 PM
Let’s say I am logged in my machine. I forget my machine unlocked. Someone with bad intention go the platform and changes my password. He can set a new password for my account without me even knowing it.
p

proud-plumber-24205

03/02/2022, 5:23 PM
Yes, that is why this is configurable to your use case. e.g. 10 min? 5min? 2min?
l

lively-beard-47107

03/02/2022, 5:24 PM
Ah okay, so there is a special (privileged) session for changing password / email, apart from the session which keeps me logged in?
Or did I get it wrong?
p

proud-plumber-24205

03/02/2022, 5:24 PM
Yes there is, that is what the link to the docs show 🙂
to clarify it's the maximum time the session has been active for which allows you to update a privileged field
so it still relies on your session cookie (which is a different setting)
l

lively-beard-47107

03/02/2022, 5:30 PM
So, if I’ve configured it to only allow 5mins to change privileged fields, the user can still be logged in for 2 hours? What would happen if he try to change a privileged field 5mins after he first log in?
p

proud-plumber-24205

03/02/2022, 5:31 PM
Yes he can still be logged in for 2 hours, but to update his settings Kratos would request the user to log in again
2 Views