This forum is in READ-ONLY mode.
You can look around, but if you want to ask a new question, please use Stack Overflow.

Remember me security bug in guard plugin ?

Questions relating to sfGuardPlugin or other user management plugins

Remember me security bug in guard plugin ?

by lukaswojek » Thu Mar 08, 2012 4:22 pm

Hi there

I'm using sfGuardPlugin in almost all projects and today I've discovered something that could be a security/authentication bug - I'm not sure myself :)

This is only true if remember me is enabled and used.
1. User logs in using his username and password and he ticks "remember me" checkbox
2. User closes his browser
3. Admin deactivates given account (is_active = false from now on)
4. User get's back to the site and "remember me" cookie triggers auto signing in for that user - even that he is not active.

Is this a bug or feature ? ;) - anyone knows ?

--
Best regards
Lukasz Wojciechowski
lukaswojek
Junior Member
 
Posts: 1
Joined: Thu Mar 08, 2012 4:09 pm