[#17825] - Remember-Me functionality should be unset, when user changes password
- Closed
- 1 Sep 2017
- Medium
- Build: staging
- # 17825
Steps to reproduce the issue
All frontend:
- Login on one device with activated "remember-me" checkbox and close the browser again.
- Login on another device and change your password here.
- Go back to your first device and open the website again.
Expected result
As the password is changed now, the "silent" login should not successfully proceed.
Actual result
You are logged into the website on your first device (actually assuming the old password is still working), even though the password was changed since you first logged in.
System information (as much as possible)
Joomla CMS all versions
Additional comments
This is a security risk for the user: If someone (an ex boyfriend) can access a device where the user previously was logged in (with remember-me functionality activated), changing the users password cannot keep this person out of the users account.
(I am afraid this is not a hypthetical risk - www.alicerugglestrust.org )
I do have a patched "system-remember" plugin ready and I like to submit this to the core, but am un-knowledgeable with the "pull-request" procedure.
joomla-cms-bot
- | Labels |
Added:
?
|
||
franz-wohlkoenig
- | Category | ⇒ | com_plugins |
| Status | New | ⇒ | Discussion |
The remember-me doesn't use any password at all. That's why it will still work when you changed the password.
The issue is if you reset your account credentials, it should invalidate that remember me cookie. Just yesterday I reset my password on a website and my remember me authentication on all devices for that site was invalidated, I had to re-login (and authorize remember me again) for the new credentials.
closing here as we know have a pull request and should continue any discussion there.
| Status | Discussion | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2017-09-01 13:48:25 |
| Closed_By | ⇒ | brianteeman |
I could attach those changed files here if you like...