diff options
| author | Michael Göhler <somebody.here@gmx.de> | 2012-10-11 11:54:40 +0200 |
|---|---|---|
| committer | Michael Göhler <somebody.here@gmx.de> | 2012-10-14 22:36:25 +0200 |
| commit | 2ea06f67bd8bf8293afdff91fbbc42d021d2c211 (patch) | |
| tree | aeede9be57e4d95c5c7203ca37fa324050437e14 | |
| parent | 45f1c3f120e459a48ccb54b74cc97facb1946042 (diff) | |
| download | nextcloud-server-2ea06f67bd8bf8293afdff91fbbc42d021d2c211.tar.gz nextcloud-server-2ea06f67bd8bf8293afdff91fbbc42d021d2c211.zip | |
delete all tokens on password change
| -rw-r--r-- | lib/base.php | 8 | ||||
| -rw-r--r-- | lib/user.php | 2 |
2 files changed, 7 insertions, 3 deletions
diff --git a/lib/base.php b/lib/base.php index cac416003e0..b02db4d05f5 100644 --- a/lib/base.php +++ b/lib/base.php @@ -552,9 +552,11 @@ class OC{ OC_Util::redirectToDefaultPage(); // doesn't return } - // if you reach this point you are an attacker - // we remove all tokens to be save - OC_Preferences::deleteApp($_POST['user'], 'login_token'); + // if you reach this point you have changed your password + // or you are an attacker + // we can not delete tokens here because users will reach + // this point multible times after a password change + //OC_Preferences::deleteApp($_POST['user'], 'login_token'); } OC_User::unsetMagicInCookie(); return true; diff --git a/lib/user.php b/lib/user.php index be8ddce88bb..11373a74014 100644 --- a/lib/user.php +++ b/lib/user.php @@ -329,6 +329,8 @@ class OC_User { } } } + // invalidate all login cookies + OC_Preferences::deleteApp($uid, 'login_token'); OC_Hook::emit( "OC_User", "post_setPassword", array( "uid" => $uid, "password" => $password )); return $success; } |