Child pages
  • Ask user for an old password on password change [5.2.1-RC1]
Skip to end of metadata
Go to start of metadata

Right now if a user is logged-in, then he can change his password without any problems. This however can create a problem in case, when Session Cookie of a user was stolen by an attacker and the attacker can change user password without any problems as well.

I'm proposing to add the "Old Password" virtual field on a password change form, which will become required in case if a change attempt is detected on the Password/VerifyPassword fields.

Related Tasks