When chosen to select passwords during registration, 'conf_pass' is stored in 'data' field of 'users' table unencrypted. Actually this is not loggin toboggan bug because 'data' array is generated automatically in user.module, but I hope this can be fixed by making some improvements to logintoboggan's logic.

Comments

hunmonk’s picture

hunmonk commented
Version: 4.7.x-1.x-dev » 7.x-1.x-dev
Priority: Normal » Critical
Status: Active » Fixed

good catch. both conf_pass and conf_mail are now explicitly unset before saving the user, so this should no longer be a problem. i checked 4.6, and the problem doesn't exist there.

fix committed to 4.7 and HEAD. please let me know if there are any other problems.

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)