bhudgens
commented
8 years ago - When a user changes their identity by passing a url token, if the token is expired, we currently fall through and would support their session cookie still. Instead, if an identity change is being requested, even with an expired token, we will at least prompt for auth, which will allow the user to log back in as themselves.
- This fixes a scenario where you are logged in as someone else and are unable to click an old link to login as yourself to get back into your own identity
jeffoconnell