remove security relevant informations form User-States
swerder opened this issue · 1 comments
swerder commented
the informations setted by user->setStates are part of Relogin cookie, so editable by user.
therefore remove all security relevant informations from there and store on other place.
also change all using of this informations to the new place.
swerder commented
remove the informations only from cookie content(and not allow get them from there), same effect.