Possible security issue: API Login Token always allows permanent login

Status: This content is read-only, or is not open for further replies.

Kirby

Guest

offline

OP
Nov 4, 2023
0
359

API call auth/login-token allows to request a login token that either logs the user in just for one session (remember = 0) or permanently (remember=1) .

However, this setting is not part of the token and thus not validated when the token is redeemed.

This allows every token to be used for a permanent login which might be a security issue.

Continue reading...

Show hidden low quality content

Status: This content is read-only, or is not open for further replies.

Facebook Reddit Pinterest WhatsApp Email Link

Home
Community
Rss Feed
Xenforo RSS

This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.

Accept Learn more…

Top Bottom