View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0022840||mantisbt||authentication||public||2017-05-06 17:43||2021-01-05 18:59|
|Summary||0022840: Don't expire user sessions when updating password hash after login method change|
As per @vboctor's suggestion
user_set_password() assumes that it is being called by a user, so it updates the cookie to expire browser sessions.
The same function is used by authentication API's auth_does_password_match() when updating the password hashes after a change of login method, only in this case there is no need to expire the sessions since the password itself is not changing - only the way it is stored in the database.
|Tags||No tags attached.|