1. 16 Apr, 2015 5 commits
  2. 15 Apr, 2015 4 commits
  3. 13 Apr, 2015 1 commit
  4. 29 Mar, 2015 3 commits
  5. 27 Mar, 2015 1 commit
  6. 24 Feb, 2015 2 commits
  7. 09 Feb, 2015 1 commit
  8. 08 Feb, 2015 1 commit
  9. 03 Feb, 2015 1 commit
  10. 29 Jan, 2015 1 commit
  11. 26 Jan, 2015 1 commit
  12. 12 Jan, 2015 2 commits
  13. 06 Jan, 2015 1 commit
  14. 14 Dec, 2014 1 commit
  15. 10 Dec, 2014 1 commit
  16. 04 Dec, 2014 1 commit
  17. 25 Nov, 2014 8 commits
  18. 24 Nov, 2014 3 commits
  19. 23 Nov, 2014 1 commit
  20. 20 Nov, 2014 1 commit
    • Robert Lyon's avatar
      Session is not invalidating after password change (Bug #1363873) · 26095d3c
      Robert Lyon authored
      
      
      Scenario/testing:
      
      - Create an account, say User A and logout as admin.
      - In one browser login (this will be the hacker user)
      - In another browser reset pass via forgotten pass link
      
      What should happen:
      User in browser two should be able to reset pass then navigate about
      as when normally logged in. User in browser one should be forced to
      login again as their user sessionid is not valid anymore.
      
      Before patch:
      malicious user still has access until $USER->logout_time time expires
      
      After patch:
      malicious user foreced to re-login straight away on next page load
      
      Change-Id: I42ad907e5ffa7c128742a159116cf20dc6cd9b8a
      Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
      26095d3c