Hi,

I have received the following email asking for confirmation it has been fixed and to pay a bounty. Is this a bug or issue with zencart and if so please let me know how I can resolve it. I tried searching and found several websites mentioning about this vulnerability but none showing how to fix it on zencart. Thanks if you can help.

------------------------------------------------------
MESSAGE:
Vulnerability: Broken Authentication & Session Management
I have observed that when we change "password" from one browser in place of session expiration from another browser it just updates the password from another browser and the old session gets updated without being logged out.
The flows goes like this:
Broken Authentication and Session Management > Failure to Invalidate Session > On Password Change

Steps:
1- Login from two browsers at a time [From Chrome browser and from Mozilla Firefox].
2- Change password in settings from chrome browser.
3- Now Check Mozilla Firefox.
4- Your Session got "updated" in place of expiration.

Same goes with when using two different computer systems.
1- Login from two computers at a time
2- Change password in settings from computer A.
3- Now Check computer B.
4- Your Session got "updated" in place of expiration.

Recommendations: If Session is Updating from one Browser/Computer so other should expire first to renew session after login.

------------------------------------------------------

Here are my current session settings if this is where it's going wrong:
Session Directory /tmp
Cookie Domain True Info
Force Cookie Use False Info
Check SSL Session ID False Info
Check User Agent False Info
Check IP Address False Info
Prevent Spider Sessions True Info
Recreate Session True Info
IP to Host Conversion Status true Info
Use root path for cookie path False Info
Add period prefix to cookie domain false