Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NOT calling setPlainPassword() as this clears the password property #1

Merged
merged 1 commit into from Dec 28, 2015

Conversation

@weaverryan
Copy link
Contributor

weaverryan commented Dec 28, 2015

eraseCredentials() is called after login, just to make sure you don't store any
plain text passwords on the User object and put it into the session or something.
However, by calling setPlainPassword(), not only was the plainPassword cleared,
the encoded password property was also cleared. This meant that the User
object was serialized into the session with no password. On the next request,
when the User was refreshed, the refreshed User object and the serialized User
object appeared to have different passwords, suggesting that the user had changed
his password and remotely and our session should be terminated.

I hope this helps - this is a very common problem to hit - your other setup looks very cool :).

eraseCredentials() is called after login, just to make sure you don't store any
plain text passwords on the User object and put it into the session or something.
However, by calling setPlainPassword(), not only was the plainPassword cleared,
the encoded `password` property was *also* cleared. This meant that the User
object was serialized into the session with *no* password. On the next request,
when the User was refreshed, the refreshed User object and the serialized User
object appeared to have different passwords, suggesting that the user had changed
his password and remotely and our session should be terminated.
onlinespaces pushed a commit that referenced this pull request Dec 28, 2015
NOT calling setPlainPassword() as this clears the password property
@onlinespaces onlinespaces merged commit 07ce6d0 into collierscott:master Dec 28, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.