user_save() regenerates session without password change

Log in from two different browsers, edit and save your account in one (don't change the password), and you become logged out in the other.

In user_save() there is this code:

    // If the password changed, delete all open sessions and recreate
    // the current one.
    if (isset($array['pass'])) {
      sess_destroy_uid($account->uid);
      sess_regenerate();
    }

However, when the user edit form is submitted, $array['pass'] is set (but empty), so the session is regenerated, even though the password doesn't change.

Comment	File	Size	Author
	user.module_73.patch	648 bytes	John Morahan

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

drumm’s picture

Comment #1

he/him

NY, US

CreditAttribution: drumm commented 8 August 2007 at 07:02

Version:	5.2	» 6.x-dev
Status:	Needs review	» Reviewed & tested by the community

Committed to 5.x.

Applies to HEAD.

Log in or register to post comments

Gábor Hojtsy’s picture

Comment #2

he/him

Hungarian

Hungary

CreditAttribution: Gábor Hojtsy commented 9 August 2007 at 10:49

Status:

Reviewed & tested by the community

» Fixed

Thanks, committed!

Log in or register to post comments

Comment #3

(not verified) CreditAttribution: commented 23 August 2007 at 11:33

Status:

Fixed

» Closed (fixed)

Log in or register to post comments