All frontend:
As the password is changed now, the "silent" login should not successfully proceed.
You are logged into the website on your first device (actually assuming the old password is still working), even though the password was changed since you first logged in.
Joomla CMS all versions
This is a security risk for the user: If someone (an ex boyfriend) can access a device where the user previously was logged in (with remember-me functionality activated), changing the users password cannot keep this person out of the users account.
(I am afraid this is not a hypthetical risk - www.alicerugglestrust.org )
I do have a patched "system-remember" plugin ready and I like to submit this to the core, but am un-knowledgeable with the "pull-request" procedure.
Labels |
Added:
?
|
Category | ⇒ | com_plugins |
Status | New | ⇒ | Discussion |
The remember-me doesn't use any password at all. That's why it will still work when you changed the password.
The issue is if you reset your account credentials, it should invalidate that remember me cookie. Just yesterday I reset my password on a website and my remember me authentication on all devices for that site was invalidated, I had to re-login (and authorize remember me again) for the new credentials.
closing here as we know have a pull request and should continue any discussion there.
Status | Discussion | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2017-09-01 13:48:25 |
Closed_By | ⇒ | brianteeman |
I could attach those changed files here if you like...