Login session not "cleared" when creating new admin (security framework related?)
Sorry if this one should go into the TYPO3 package - if so, please move it :)
On "latest.phoenix.typo3.org" I got the possibility of deleting the main/home page. If I do so, I get the page "Welcome to TYPO3" where I can click the "Enter setup" link.
Clicking that link, makes it possible to import a new package and create a new admin user. I did so, and entered a new value to the "password" field. My user was created and/but my login session was still valid, meaning I could edit content with the admin user having "wrong" credentials.
Logging out and try to login with the admin/password combination didn't give me access, until I used the newly entered combination.
I might expect, that me changing(/creating a new and clearing current?) admin user credentials, should in some way make my session invalid, as it is not the same admin user object? Is this correctly understood? Should this be considered a bug?
#1 Updated by Karsten Dambekalns almost 9 years ago
- Status changed from New to Needs Feedback
Well, this is really something that could be solved in the TYPO3 package. But there should be no automatism - imagine you'd be logged out whenever you create a new user in the system... This is a special case, as running the setup seems to imply a "fresh system", but that's not really the case.