-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Email verification link of a deleted account enables automatic login #2031
Comments
@saralavanip I've tried twice and couldn't reproduce it. |
I think steps 7 and 8 are not central to this bug report, and can be ignored. |
If I log out after step 8 and then click the verification link for user 1 (step 9), I'm not logged in, I just get an error message about expired verification email. If I don't log out after step 8 and click the verification link for user 1, I go to the APInf UI as current logged in user (user 2 the one created in step 7) plus get a message about expired verification message. @saralavanip Please check what you were actually trying to test. |
@NNN I think the main idea is in 5 step |
@marla-singer I deleted the first user and followed all the steps exactly. |
If the second user is logged out, it does not automatically log in. If the second user is logged in, then it goes to the current active user. |
@bajiat Ok, I can't reproduce it as well |
@bajiat @NNN @brylie @marla-singer , I was testing this case aiming security aspect in different scenarios as below: Scenario 1:
-> Click on expired link
Scenario 2: -> Expired link in a deleted account (user 1 )
-> Click on expired link
Scenario 3:
-> Click on expired link
|
@saralavanip IMHO, This does not mean there is a grave security concern. The precondition is that the second user is active / logged in on that same device. |
From @saralavanip on January 25, 2017 16:53
Steps
Findings
Screenshot
Copied from original issue: Digipalvelutehdas/APIKA#297
The text was updated successfully, but these errors were encountered: