Closed happy-river closed 4 years ago
Polsaker
commented
4 years ago As far as i've tested (logging in with two accounts on two different browsers and changing the password from one of the browsers) this is not working. Also, instead of having two UIDs it might be better to just store a counter in the session and check if it matches a field in the database (if I recall correctly, this is what the resets field in the User model was supposed to do, but it was never implemented)
happy-river
commented
4 years ago Are you logging in with two accounts on two different browsers or one account on two different browsers?
I'll change this to put resets to use instead of adding a field to the User model.
Polsaker
commented
4 years ago Same account on two browsers
Polsaker
commented
4 years ago Tried again just in case and it worked, I might have forgotten to switch to your branch before <_<
happy-river
commented
4 years ago I've removed the new field and put User.resets to use.
If your unlocked laptop is stolen while you are logged into Throat, you can now stop the perpetrator from posting under your name by changing your password on another device. Changing your password now makes all browser sessions other than the one you are using ask for login credentials again. Deleting your account also now invalidates all your browser sessions. The implementation is as suggested by the flask-login docs.
Also change login via email confirmation or password reset so they don't set the remember cookie. Now that cookie will only be set when the user turns on the checkbox on the login page.