Powered by MantisBT 2.26.0-dev-master-f916663e9
Copyright © 2000 - 2023 MantisBT Team
Contact administrator for assistance
Copyright © 2000 - 2023 MantisBT Team
Contact administrator for assistance
Page execution time: 0.1715 seconds
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0022840 | mantisbt | authentication | public | 2017-05-06 17:43 | 2021-01-05 18:59 |
| Reporter | dregad | Assigned To | dregad | ||
| Priority | normal | Severity | minor | Reproducibility | sometimes |
| Status | assigned | Resolution | open | ||
| Target Version | 2.26.0 | ||||
| Summary | 0022840: Don't expire user sessions when updating password hash after login method change | ||||
| Description | As per @vboctor's suggestion user_set_password() assumes that it is being called by a user, so it updates the cookie to expire browser sessions. The same function is used by authentication API's auth_does_password_match() when updating the password hashes after a change of login method, only in this case there is no need to expire the sessions since the password itself is not changing - only the way it is stored in the database. | ||||
| Tags | No tags attached. | ||||