Skip to content

Commit

Permalink
[SS-2016-008] Reset Member::Salt on password change
Browse files Browse the repository at this point in the history
  • Loading branch information
dhensby authored and Damian Mooyman committed Aug 15, 2016
1 parent bf19806 commit f85dea2
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion security/Member.php
Original file line number Diff line number Diff line change
Expand Up @@ -824,7 +824,7 @@ public static function create_new_password() {
} else {
$random = rand();
$string = md5($random);
$output = substr($string, 0, 6);
$output = substr($string, 0, 8);
return $output;
}
}
Expand Down Expand Up @@ -880,6 +880,9 @@ public function onBeforeWrite() {
// Note that this only works with cleartext passwords, as we can't rehash
// existing passwords.
if((!$this->ID && $this->Password) || $this->isChanged('Password')) {
//reset salt so that it gets regenerated - this will invalidate any persistant login cookies
// or other information encrypted with this Member's settings (see self::encryptWithUserSettings)
$this->Salt = '';
// Password was changed: encrypt the password according the settings
$encryption_details = Security::encrypt_password(
$this->Password, // this is assumed to be cleartext
Expand Down

0 comments on commit f85dea2

Please sign in to comment.