Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Set a new random cookie string upon logout
When a user logs out from Mantis, we reset their session cookie string. This ensures that anyone knowing its value is no longer able to login with it. While not a complete fix for issue #11296, this does improve the situation by providing an easy and logical means for users to effectively invalidate all their previous sessions. Additionally, using an empty value to indicate an invalidated cookie string instead of directly generating a new hash makes it easy to: - identify user records which should be considered as logged out (e.g. last_visit older than $g_cookie_time_length) - invalidate login cookies (set them to '') Leveraging this is left for future improvements. Note: an empty string in the session cookie always triggers an anonymous login (or sends the user back to login page if anonymous login is disabled). Fixes #27976 (cherry picked from commit d8181a5)
- Loading branch information