3.5.28: Member with auto-login still logged in although his credentials changed

Question

3.5.28: Member with auto-login still logged in although his credentials changed

connine opened this issue 7 years ago · 2 comments

I noticed the following behavior in Contao 3.5.28:

I used a member account to log into a restricted FE page and checked the auto-login option
I changed the username of this member in the BE and closed the browser I used for FE login
I opened the browser again and was logged in automatically with my old credentials
Same happend when I changed the password of this member account

In my opinion the auto-login function should be disabled if the account information changes.

Answer 1 · 2018-02-15T14:08:14.000Z

As discussed in Mumble on February 15th, we should remove the autologin hash from tl_member.autologin if the username or the password changes. This affects Contao 3.5 to 4.4 (Contao 4.5 uses Symfony security).

Answer 2 · 2018-02-16T16:23:23.000Z

Fixed in 9a6cc88.