@robocoder opened this Issue on February 10th 2012 Contributor

When a user logs in via the Login form, set a session cookie flag that the user is fully authenticated. Conversely, when a user comes in via a remember me cookie, the flag won't be set again.

In the following scenarios, if the user is not fully authenticated:

  • change password - user should either login again, or be prompted to re-enter his/her existing password
  • in the context of #2701, the iframe buster is enabled on the dashboard
@mattab commented on February 17th 2012 Member

Marking as wont fix/duplicate since I think we should always "Require old password when changing password or email" even if the user just logged in.

Use case: For example, user logs in, leaves computer, attacker changes password 2 minutes later, we should require the old password even if the authenticate cookie would be found.

see #2932

This Issue was closed on February 17th 2012
Powered by GitHub Issue Mirror