View Issue Details

IDProjectCategoryView StatusLast Update
0022840mantisbtauthenticationpublic2021-01-05 18:59
Reporterdregad Assigned Todregad  
Status assignedResolutionopen 
Target Version2.26.0 
Summary0022840: Don't expire user sessions when updating password hash after login method change

As per @vboctor's suggestion

user_set_password() assumes that it is being called by a user, so it updates the cookie to expire browser sessions.

The same function is used by authentication API's auth_does_password_match() when updating the password hashes after a change of login method, only in this case there is no need to expire the sessions since the password itself is not changing - only the way it is stored in the database.

TagsNo tags attached.