delete all tokens on password change

This commit is contained in:
Michael Göhler 2012-10-11 11:54:40 +02:00
parent 45f1c3f120
commit 2ea06f67bd
2 changed files with 7 additions and 3 deletions

View File

@ -552,9 +552,11 @@ class OC{
OC_Util::redirectToDefaultPage();
// doesn't return
}
// if you reach this point you are an attacker
// we remove all tokens to be save
OC_Preferences::deleteApp($_POST['user'], 'login_token');
// if you reach this point you have changed your password
// or you are an attacker
// we can not delete tokens here because users will reach
// this point multible times after a password change
//OC_Preferences::deleteApp($_POST['user'], 'login_token');
}
OC_User::unsetMagicInCookie();
return true;

View File

@ -329,6 +329,8 @@ class OC_User {
}
}
}
// invalidate all login cookies
OC_Preferences::deleteApp($uid, 'login_token');
OC_Hook::emit( "OC_User", "post_setPassword", array( "uid" => $uid, "password" => $password ));
return $success;
}