Possible security issue: API Login Token always allows permanent login

Thread starter Kirby
Start date Nov 4, 2023

Kirby

Well-known member

Nov 4, 2023

Affected version: 2.2.13

API call auth/login-token allows to request a login token that either logs the user in just for one session (remember = 0) or permanently (remember=1) .

However, this setting is not part of the token and thus not validated when the token is redeemed.

This allows every token to be used for a permanent login which might be a security issue.

Last edited: Nov 4, 2023

Similar threads

XF 2.2 Issue with the API endpoints

Replies: 12

Views: 2K

Jan 13, 2022

Jackie13

Fixed API endpoint: /login/api-token - cannot log user in if already logged in

Replies: 3

Views: 2K

Feb 26, 2021

Rezpkt

Fixed Credential Leakage In Auth API

Replies: 4

Views: 2K

Mar 1, 2021

XF Bug Bot

Cloudflare optimizations for XenForo

7 8 9

Replies: 175

Views: 17K

Jan 22, 2024

digitalpoint

XF 2.2 Reacting via API

Replies: 2

Views: 450

Jun 18, 2021

Dannymh

Facebook X (Twitter) LinkedIn Reddit Pinterest Tumblr WhatsApp Email Link

We value your privacy

We use essential cookies to make this site work, and optional cookies to enhance your experience.

See further information and configure your preferences

Accept all cookies Reject optional cookies
Essential cookies

These cookies are required to enable core functionality such as security, network management, and accessibility. You may not reject these.

Optional cookies

We deliver enhanced functionality for your browsing experience by setting these cookies. If you reject them, enhanced functionality will be unavailable.

Third-party cookies

Cookies set by third parties may be required to power functionality in conjunction with various service providers for security, analytics, performance or advertising purposes.

Detailed cookie usage

Privacy policy

Top Bottom

Possible security issue: API Login Token always allows permanent login

Kirby

Well-known member

Similar threads

We value your privacy