Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
bug #24536 [Security] Reject remember-me token if UserCheckerInterfac…
…e::checkPostAuth() fails (kbond) This PR was merged into the 2.7 branch. Discussion ---------- [Security] Reject remember-me token if UserCheckerInterface::checkPostAuth() fails | Q | A | ------------- | --- | Branch? | 2.7 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #24525 | License | MIT | Doc PR | - I think this is a security hole - a user can remain logged in with a remember me cookie even though they can no longer pass `UserCheckInterface::checkPostAuth()` (could be disabled). This is a small BC break but shouldn't be an issue as I think it is a bug. I don't think this requires a BC layer but if so, I can add. Commits ------- fe190b6 reject remember-me token if user check fails
- Loading branch information