By smithaa02 on
I definitely changed a password for a user, but they were able to login anyways because (I assume) a cookie remembered their login and didn't bother with a password.
Am I misunderstanding how this works or this an issue where changed passwords aren't a fail-safe way to lock somebody out in Drupal?
Comments
=-=
Interesting, someone else will have to confirm (especially with Drupal 4.7.x) but I think because they were already issued a session which was trapped in the DB and remained active per the session lifetime set in settings.php that they were basically "already logged in" and the new password wouldn't have mattered until they physically logged out or were logged out by the session lifetime expiration.