I just wanted to send this out to make sure I am not wrong about this.
In the new struts2 profile update form I have removed a small amount of
code which tried to prevent users who were logged in via a 'cookieLogin'
from changing their passwords. I don't really know the history behind
this code and don't even know if it was working anymore, but I am
removing it because ...
1. It *looks* like it doesn't even take effect anymore because I can't
find anywhere in the code which sets the "cookieLogin" attribute on a
session to trigger the behavior.
2. The old code wasn't actually preventing this scenario, it was only
discouraging it. In the old action & jsp it would simply not display
the password form fields when the user had logged in via cookie, but
technically if you submitted the form with the right fields the action
would accept them and modify the password.
3. If this is still a valid security constraint that we want to imply
then I think we can do it in a better way, i.e. to ask for the users
existing password on the profile update form at all times. Personally I
think this would be overkill, but it's not necessarily unreasonable.
So, if anyone who knows more about this old "cookieLogin" check thinks
it still needs to be in the code, please say so.
-- Allen
- removing cookieLogin check from struts2 profile form Allen Gilliland
-
