delete all tokens on password change

2012-10-11 11:54:40 +02:00 · 2012-10-11 11:54:40 +02:00 · 2ea06f67bd
parent 45f1c3f120
commit 2ea06f67bd
2 changed files with 7 additions and 3 deletions
--- a/lib/base.php
+++ b/lib/base.php
@ -552,9 +552,11 @@ class OC{
 				OC_Util::redirectToDefaultPage();
 				// doesn't return
 			}
-			// if you reach this point you are an attacker
-			// we remove all tokens to be save
-			OC_Preferences::deleteApp($_POST['user'], 'login_token');
+			// if you reach this point you have changed your password 
+			// or you are an attacker
+			// we can not delete tokens here because users will reach 
+			// this point multible times after a password change
+			//OC_Preferences::deleteApp($_POST['user'], 'login_token');
 		}
 		OC_User::unsetMagicInCookie();
 		return true;
--- a/lib/user.php
+++ b/lib/user.php
@ -329,6 +329,8 @@ class OC_User {
 					}
 				}
 			}
+			// invalidate all login cookies
+			OC_Preferences::deleteApp($uid, 'login_token');
 			OC_Hook::emit( "OC_User", "post_setPassword", array( "uid" => $uid, "password" => $password ));
 			return $success;
 		}