delete all tokens on password change

remotes/origin/stable5
Michael Göhler 12 years ago
parent 45f1c3f120
commit 2ea06f67bd
  1. 8
      lib/base.php
  2. 2
      lib/user.php

@ -552,9 +552,11 @@ class OC{
OC_Util::redirectToDefaultPage();
// doesn't return
}
// if you reach this point you are an attacker
// we remove all tokens to be save
OC_Preferences::deleteApp($_POST['user'], 'login_token');
// if you reach this point you have changed your password
// or you are an attacker
// we can not delete tokens here because users will reach
// this point multible times after a password change
//OC_Preferences::deleteApp($_POST['user'], 'login_token');
}
OC_User::unsetMagicInCookie();
return true;

@ -329,6 +329,8 @@ class OC_User {
}
}
}
// invalidate all login cookies
OC_Preferences::deleteApp($uid, 'login_token');
OC_Hook::emit( "OC_User", "post_setPassword", array( "uid" => $uid, "password" => $password ));
return $success;
}

Loading…
Cancel
Save