- Affected version
- 2.2.13
API call auth/login-token allows to request a login token that either logs the user in just for one session (
However, this setting is not part of the token and thus not validated when the token is redeemed.
This allows every token to be used for a permanent login which might be a security issue.
remember
= 0) or permanently (remember
=1) .However, this setting is not part of the token and thus not validated when the token is redeemed.
This allows every token to be used for a permanent login which might be a security issue.
Last edited: