Actions
Bug #2351
closedAuthModel doesn't clean up database when handling log out
Start date:
10/21/2013
Due date:
% Done:
0%
Estimated time:
Description
As indicated by the comment in the source code, AuthModel::logout() deletes the user's cookie but doesn't remove the record of that cookie from the database. This unnecessarily extends the time window during which an attacker capable of acquiring the user's cookie could access the site with stolen credentials.
Updated by Koen Deforche almost 11 years ago
- Status changed from New to InProgress
- Assignee set to Roel Standaert
- Target version set to 3.3.3
We probably need to expand the AbstractUserDatabase API to remove a token given its hash which is in app~~environment().getCookieValue(baseAuth()~~>authTokenCookieName())
Updated by Roel Standaert almost 11 years ago
- Status changed from InProgress to Resolved
Updated by Koen Deforche over 10 years ago
- Status changed from Resolved to Closed
Actions