(PENDING)Worrying password behaviour.
Discussion
I have noticed that some topics are being shown as visited, despite me not visiting them.
This prompted me to change my (Pistonheads) password, just in case my account had been compromised.
However what has caused me some concern, is that I changed my (PH) password while logged in to my laptop and this morning I went to my PC (already still logged in to PH with the old password) and I was still granted access.
I expected any attempts to access my Pistonheads account on the PC (logged in with the old password remember) to deny me access.
But clearly, the old password has not been invalidated on changing it.
This is a not very secure!!!
This prompted me to change my (Pistonheads) password, just in case my account had been compromised.
However what has caused me some concern, is that I changed my (PH) password while logged in to my laptop and this morning I went to my PC (already still logged in to PH with the old password) and I was still granted access.
I expected any attempts to access my Pistonheads account on the PC (logged in with the old password remember) to deny me access.
But clearly, the old password has not been invalidated on changing it.
This is a not very secure!!!
budgie smuggler said:
Doubt it, more likely your session was still open. Normal behaviour in a web app, passwords aren't checked every time you view a page.
Yes I realise this - however with PHPBB etc. as soon as you change your password it is invalidated across devices immediately.I guess that with phpbb, the password is stored locally, rather than a simple cookie (or some other method is used to validate it).
I would also like to add that upon changing my PH password on my laptop, I wasn't prompted to login again - my session just continued as if nothing had changed.
I had expected my login to expire immediately and then be forced to login with the new password, but I wasn't.
I'm using Windows 8.1 and Chrome on both laptop and PC btw.
I had expected my login to expire immediately and then be forced to login with the new password, but I wasn't.
I'm using Windows 8.1 and Chrome on both laptop and PC btw.
Gassing Station | Website Feedback | Top of Page | What's New | My Stuff