Greatly improve login related actions for Admin

Browse Source

* Better isolate admin to prevent session related vulnerabilities
* Removed support for custom login redirects for improved security
* Shorten forgot password link lifetime from 7 days to 1 hour
* Fixed login related pages being accessible from admin when user has logged in
* Fixed admin user creation and password reset allowing unsafe passwords
* Fixed missing validation when registering the first admin user
* Fixed reset password email not to have session specific token in it

...

This commit is contained in:

Matias Griese

2021-03-26 14:39:37 +02:00

parent e14e72958f

commit aa4f80eec1

22 changed files with 1930 additions and 663 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download Patch File Download Diff File Expand all files Collapse all files

636

admin.php

File diff suppressed because it is too large Load Diff