[Mailman-Users] force re-authentication in web UI

Mark Sapiro mark at msapiro.net
Sat Apr 11 13:45:54 CEST 2015

On 04/10/2015 08:44 AM, Devin Reade wrote:
> In the case where a list owner or moderator password has been 
> compromised, or when performing a change of owner/moderator, 
> one should obviously change the related passwords.  However,
> if a former owner/moderator (or the person who stole the password)
> still has their browser open, their cookie is still valid
> and they can continue to access and change the list.

Are you sure? The data that is hashed in the cookie contains the
password and the validation process uses the current password, so a
pre-change cookie is not still valid.

You can get confused if you change the password from the web UI, because
that also updates the cookie for the browser doing the change.

If you log in with a browser and get a cookie and then change the PW
with bin/change_pw, you'll see the browser's cookie is no longer valid.

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list