2 files changed, 11 insertions, 2 deletions

diff --git a/apps/files_external/lib/Lib/Auth/Password/LoginCredentials.php b/apps/files_external/lib/Lib/Auth/Password/LoginCredentials.php
index 6bf6b61f164..b8279f5ca61 100644
--- a/apps/files_external/lib/Lib/Auth/Password/LoginCredentials.php
+++ b/apps/files_external/lib/Lib/Auth/Password/LoginCredentials.php
@@ -79,6 +79,11 @@ class LoginCredentials extends AuthMechanism {
 			try {
 				$sessionCredentials = $this->credentialsStore->getLoginCredentials();
 
+				if ($sessionCredentials->getUID() !== $user->getUID()) {
+					// Can't take the credentials from the session as they are not the same user
+					throw new CredentialsUnavailableException();
+				}
+
 				$credentials = [
 					'user' => $sessionCredentials->getLoginName(),
 					'password' => $sessionCredentials->getPassword()
diff --git a/apps/files_external/lib/Listener/StorePasswordListener.php b/apps/files_external/lib/Listener/StorePasswordListener.php
index 3212f2a48c7..27de4ada465 100644
--- a/apps/files_external/lib/Listener/StorePasswordListener.php
+++ b/apps/files_external/lib/Listener/StorePasswordListener.php
@@ -51,10 +51,14 @@ class StorePasswordListener implements IEventListener {
 		}
 
 		$stored = $this->credentialsManager->retrieve($event->getUser()->getUID(), LoginCredentials::CREDENTIALS_IDENTIFIER);
+		$update = isset($stored['password']) && $stored['password'] !== $event->getPassword();
+		if (!$update && $event instanceof UserLoggedInEvent) {
+			$update = isset($stored['user']) && $stored['user'] !== $event->getLoginName();
+		}
 
-		if ($stored && $stored['password'] !== $event->getPassword()) {
+		if ($stored && $update) {
 			$credentials = [
-				'user' => $stored['user'],
+				'user' => $event->getLoginName(),
 				'password' => $event->getPassword()
 			];