From d79bfe6eba2e99ee13e3de3a2e88190df527ea25 Mon Sep 17 00:00:00 2001
From: Livio Spring <livio.a@gmail.com>
Date: Wed, 17 Dec 2025 09:23:54 +0100
Subject: [PATCH] fix(login v1): update password verification handling (#11202)

# Which Problems Are Solved

Failed password attempts in login V1 potentially created new session
entries.

# How the Problems Are Solved

Correct handling to only update existing sessions.

# Additional Changes

None

# Additional Context

- reported through support
- requires backport to v4.x
---
 .../eventsourcing/handler/user_session.go        | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/internal/auth/repository/eventsourcing/handler/user_session.go b/internal/auth/repository/eventsourcing/handler/user_session.go
index b1693f8d926..a4de4fdc30b 100644
--- a/internal/auth/repository/eventsourcing/handler/user_session.go
+++ b/internal/auth/repository/eventsourcing/handler/user_session.go
@@ -257,13 +257,21 @@ func (u *UserSession) Reduce(event eventstore.Event) (_ *handler.Statement, err
 		return handler.NewUpsertStatement(event, columns[0:3], columns), nil
 	case user.UserV1PasswordCheckFailedType,
 		user.HumanPasswordCheckFailedType:
-		columns, err := u.sessionColumnsActivate(event,
-			handler.NewCol(view_model.UserSessionKeyPasswordVerification, time.Time{}),
-		)
+		userAgent, err := agentIDFromSession(event)
 		if err != nil {
 			return nil, err
 		}
-		return handler.NewUpsertStatement(event, columns[0:3], columns), nil
+		return handler.NewUpdateStatement(event,
+			[]handler.Column{
+				handler.NewCol(view_model.UserSessionKeyPasswordVerification, time.Time{}),
+				handler.NewCol(view_model.UserSessionKeyChangeDate, event.CreatedAt()),
+				handler.NewCol(view_model.UserSessionKeySequence, event.Sequence()),
+			},
+			[]handler.Condition{
+				handler.NewCond(view_model.UserSessionKeyUserAgentID, userAgent),
+				handler.NewCond(view_model.UserSessionKeyUserID, event.Aggregate().ID),
+				handler.NewCond(view_model.UserSessionKeyInstanceID, event.Aggregate().InstanceID),
+			}), nil
 	case user.UserV1MFAOTPCheckSucceededType,
 		user.HumanMFAOTPCheckSucceededType:
 		columns, err := u.sessionColumnsActivate(event,