On 04/10/2015 08:44 AM, Devin Reade wrote: > In the case where a list owner or moderator password has been > compromised, or when performing a change of owner/moderator, > one should obviously change the related passwords. However, > if a former owner/moderator (or the person who stole the password) > still has their browser open, their cookie is still valid > and they can continue to access and change the list.
Are you sure? The data that is hashed in the cookie contains the password and the validation process uses the current password, so a pre-change cookie is not still valid. You can get confused if you change the password from the web UI, because that also updates the cookie for the browser doing the change. If you log in with a browser and get a cookie and then change the PW with bin/change_pw, you'll see the browser's cookie is no longer valid. -- Mark Sapiro <[email protected]> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list [email protected] https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
