Still lets you have console access after changing account password or deleting your account #5013
Comments
CodesterDubs
added
the
not confirmed
|
When the token rotates, it should invalidate. |
That's what I would think it should do. See the recording attatched. |
|
The token only rotates every 10-15 minutes. When it expires / is about to expire, the panel needs to send auth details of the user. When you reload the page this happens immediately, you can see this when you have multiple tabs open and only reload one of those. |
|
Seems like a pretty major flaw, especially as people may sometimes reset a password or delete an account in order to immediately stop access to systems. Does the console still work when the user is deleted? Or is it just password updates? |
It still works when the account is deleted |
|
Why aren't sessions invalidated / tokens regenerated upon account deletion? Seems like the obvious thing to do |
|
Yeah that's what I would have thought too but apparently not... |
Current Behavior
I changed my panel user account password from another browser on Account B. I was on console with Account A and if I don't refresh the page, I can still send console commands until I refresh the page. The same thing happens if I delete Account A while on console.
Expected Behavior
It should log you out of the panel as soon as your password is changed or account deleted without having to refresh the page.
Steps to Reproduce
Have two accounts and two browsers. On one account, open console of a running server. On the other account, go to the users admin page and change the password or delete the account. The other account will still have access to send commands in the console of the server.
Panel Version
1.11.5
Wings Version
1.11.8
Games and/or Eggs Affected
No response
Docker Image
No response
Error Logs
No response
Is there an existing issue for this?
The text was updated successfully, but these errors were encountered: