From ab52b677aac5caae974928642aee42cc76f54f65 Mon Sep 17 00:00:00 2001 From: Daniel Hensby Date: Fri, 28 Feb 2014 14:27:45 +0000 Subject: [PATCH] FIX Log out current member when forgotten password At the moment, if a user is logged in on a device (say, their phone) but has forgotten their password. If they attempt to reset their password on their desktop, then open the email on their phone they then see the reset password form *with* the CurrentPassword field. I'm not entirely sure what happens if a DIFFERENT user is currently logged in, but I think they remain logged in and you're effectively trying to change their password. Both scenarios are not ideal and (in fact) this happens a lot in the real world as it's a legitimate complaint we're receiving from a visitors of one of our client's websites. --- security/Security.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/security/Security.php b/security/Security.php index f33335899..01cd8d95c 100644 --- a/security/Security.php +++ b/security/Security.php @@ -634,6 +634,11 @@ class Security extends Controller implements TemplateGlobalProvider { if(isset($_REQUEST['t']) && $member && $member->validateAutoLoginToken($_REQUEST['t'])) { // On first valid password reset request redirect to the same URL without hash to avoid referrer leakage. + // if there is a current member, they should be logged out + if ($curMember = Member::currentUser()) { + $curMember->logOut(); + } + // Store the hash for the change password form. Will be unset after reload within the ChangePasswordForm. Session::set('AutoLoginHash', $member->encryptWithUserSettings($_REQUEST['t']));