View Issue Details

IDProjectCategoryView StatusLast Update
0022840mantisbtauthenticationpublic2023-10-31 16:36
Reporterdregad Assigned Todregad  
PrioritynormalSeverityminorReproducibilitysometimes
Status assignedResolutionopen 
Target Version2.27.0 
Summary0022840: Don't expire user sessions when updating password hash after login method change
Description

As per @vboctor's suggestion

user_set_password() assumes that it is being called by a user, so it updates the cookie to expire browser sessions.

The same function is used by authentication API's auth_does_password_match() when updating the password hashes after a change of login method, only in this case there is no need to expire the sessions since the password itself is not changing - only the way it is stored in the database.

TagsNo tags attached.

Activities