Mar 30, 2012 at 2:09 PM
Edited Mar 30, 2012 at 2:32 PM
Five minutes ago, I logged into CodePlex from my laptop and checked 'Remember me next time'. Then I logged out.
Then I logged in from my desktop and changed my account password.
Then I went back to my laptop, went to CodePlex - and it logged me straight in. I'm now creating this discussion item using my CodePlex account without having been asked to enter a password.
This appears to be a real-world example of the vulnerability discussed at:
- in other words, if you set a "remember me" cookie on a device that then gets stolen, the thief has full access to your CodePlex account and changing your password won't lock them out.
(EDIT: Not singling out CodePlex here, you understand... it's just the first example I could think of of a high-profile public site that uses .NET forms authentication)