Page MenuHomePhabricator

When global locking a compromised account, if user had pressed remember me, the cookie from the compromised account can be used to get back into the account later
Closed, ResolvedPublic


see title.

Possibly password reset would invalidate the cookies too, but global lock should really make all old cookies useless

Arguably we should do something similar for normal blocks, although that goes against current expectations

Event Timeline

Oops. Didn't notice this was a security bug and put up as a normal patch.

Dont worry, i only put it as security so as not to give OurMine any ideas. I dont really think its a sensitive issue

Not sure why this patch hasn't been merged... JFDI? :)

@Reedy: +2'ed on 2019-05-01 and merged (thanks).
Can this task get closed as resolved? Can it be made public?

Reedy assigned this task to Tgr.

I would think so

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".May 27 2019, 1:23 PM