Losing masquerade when changing password
cYu - August 29, 2008 - 16:35
| Project: | Masquerade |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed |
Description
If I masquerade as a user and then navigate to account details and change that user's password it appears I am no longer masquerading but am actually logged in as that user. Trying to go to /masquerade/unswitch at this point does not work.
#1
This is caused by the session being regenerated when the password is changed. I think the best solution is to implement hook_user, save the sid before the password is changed, and then update the session after a new one is generated.
Or, we could add a note that changing the password will prevent switching back for security purposes. Or, disable password changing completely.
#2
Here is a patch which fixes the issue by storing the old session ID and updating the {masquerade} table if the sid is changed. I'll be committing it shortly.
#3
Automatically closed -- issue fixed for 2 weeks with no activity.