Gossamer Forum
Home : Products : Gossamer Forum : Discussion :

user sessions

Quote Reply
user sessions
Let's make the following gedankenexperiment:

1. user A somehow gets to know the password of user B
2. user A logs in as user B, and checks "remember me".
3. user A does funny things as user B (he doesn't change B's password, though)
4. user B notices that someone else has logged in as him
5. user B changes his password, because he presumes that this will keep user A out of his account.

The funny thing is now that even though user B has changed his password, user A will always be able to log in as user B, as long as he uses the browser he originally used, with the session cookie of user B.

Shouldn't the logout take care of all sessions of the user?

Also, when you want to change your password, shouldn't you be asked to give your current password?

Iyengar Yoga Resources / GT Plugins