issue-361: Reset user cookie after administrative password change

Cookies were not reset on administrative password change of a user account. This allowed accounts with changed passwords to continue authenticating. Cookies are now reset on password changes, they are validated on each page request, AND they will now expire 7 days after generation.
author: James Moger <james.moger@gitblit.com> 2014-01-28 13:16:37 -0500
committer: James Moger <james.moger@gitblit.com> 2014-01-28 13:16:37 -0500
commit: 7ab32b65fcb20ca68d7afc357befb3a34de662bf (patch)
tree: df393fe15adcc63a8adf0330219e6bec981ba761 /src/main/java/com/gitblit/ConfigUserService.java
parent: 158242228266af84aa14b7e13b43d2825626c446 (diff)
download: gitblit-7ab32b65fcb20ca68d7afc357befb3a34de662bf.tar.gz
gitblit-7ab32b65fcb20ca68d7afc357befb3a34de662bf.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/src/main/java/com/gitblit/ConfigUserService.java b/src/main/java/com/gitblit/ConfigUserService.java
index 19e4736a..e8652252 100644
--- a/src/main/java/com/gitblit/ConfigUserService.java
+++ b/src/main/java/com/gitblit/ConfigUserService.java
@@ -272,6 +272,9 @@ public class ConfigUserService implements IUserService {
 			}
 			read();
 			originalUser = users.remove(username.toLowerCase());
+			if (originalUser != null) {
+				cookies.remove(originalUser.cookie);
+			}
 			users.put(model.username.toLowerCase(), model);
 			// null check on "final" teams because JSON-sourced UserModel
 			// can have a null teams object
author	James Moger <james.moger@gitblit.com>	2014-01-28 13:16:37 -0500
committer	James Moger <james.moger@gitblit.com>	2014-01-28 13:16:37 -0500
commit	7ab32b65fcb20ca68d7afc357befb3a34de662bf (patch)
tree	df393fe15adcc63a8adf0330219e6bec981ba761 /src/main/java/com/gitblit/ConfigUserService.java
parent	158242228266af84aa14b7e13b43d2825626c446 (diff)
download	gitblit-7ab32b65fcb20ca68d7afc357befb3a34de662bf.tar.gz gitblit-7ab32b65fcb20ca68d7afc357befb3a34de662bf.zip