Possible security issue: API Login Token always allows permanent login

Kirby

Well-known member
Affected version
2.2.13
API call auth/login-token allows to request a login token that either logs the user in just for one session (remember = 0) or permanently (remember=1) .

However, this setting is not part of the token and thus not validated when the token is redeemed.

This allows every token to be used for a permanent login which might be a security issue.
 
Last edited:
Back
Top Bottom