I'm using sfGuardPlugin in almost all projects and today I've discovered something that could be a security/authentication bug - I'm not sure myself
This is only true if remember me is enabled and used.
1. User logs in using his username and password and he ticks "remember me" checkbox
2. User closes his browser
3. Admin deactivates given account (is_active = false from now on)
4. User get's back to the site and "remember me" cookie triggers auto signing in for that user - even that he is not active.
Is this a bug or feature ? - anyone knows ?