When you delete a user, cookie data is not automatically removed #4575
Comments
TheWitness
added
bug
TheWitness
added a commit
that referenced
this issue
Feb 27, 2022
#4578, #4574 -security#4576: Stored XSS Issue in Cacti Device, Graph, Graph Template, and Graph Items callbacks -security#4579: Cacti account lockout policies are not properly applied to LDAP and Domain Users -issue#4573: The Cacti permission system does not scale to very large installations -issue#4575: When you delete a user, their 'remember me' cookie data is not automatically removed -issue#4576: Stored XSS Issue in Cacti Device, Graph, Graph Template, and Graph Items callbacks -issue#4577: Cacti allows you to disable the currently logged in administrator disabling the user -issue#4578: The Cacti login algorithm is complicated to understand due to too much strait line code -feature#4574: Cacti needs some additional permission methods for larger installations This change properly documents the file lib/auth.php using phpDocument format, and performed multiple sanity and readability changes such as the renaming of variables commonly used in multiple functions. The the restructuring of the three authentication files: - auth_login.php - include/auth.php - lib/auth.php Makes the code more readable, it's not a complete solution, however, it is much easier to follow now.
netniV
changed the title
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Describe the bug
When you remove a user, if that user has been using the 'remember me' functionality, their session data in user_auth_cache is not removed. This session data will be removed within 90 days, but you should remove the data immediately if possible.
Expected behavior
Less Cacti bugs.
The text was updated successfully, but these errors were encountered: