From 82f339c4a04fd71c586638c2f9fa2c399ee699d7 Mon Sep 17 00:00:00 2001 From: Alex <40072887+alexdcrane@users.noreply.github.com> Date: Thu, 26 Feb 2026 17:02:56 -0700 Subject: [PATCH] Remove remember me tokens when password is updated (#7759) * Update user_edit.php * Update user_profile.php --- core/users/user_edit.php | 10 ++++++++++ core/users/user_profile.php | 12 +++++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/core/users/user_edit.php b/core/users/user_edit.php index 7cfe891fe4..d41c16363f 100644 --- a/core/users/user_edit.php +++ b/core/users/user_edit.php @@ -533,10 +533,20 @@ unlink(session_save_path() . "/sess_" . $row['session_id']); } } + unset($sql, $parameters); //create a one way hash for the user password $array['users'][$x]['password'] = password_hash($password, PASSWORD_DEFAULT, $options); $array['users'][$x]['salt'] = null; + + //remove remember me tokens + $sql = "update v_user_logs "; + $sql .= "set remember_selector = null, "; + $sql .= "remember_validator = null "; + $sql .= "where user_uuid = :user_uuid "; + $parameters['user_uuid'] = $user_uuid; + $database->execute($sql, $parameters); + unset($sql, $parameters); } $array['users'][$x]['user_email'] = $user_email; $array['users'][$x]['user_status'] = $user_status; diff --git a/core/users/user_profile.php b/core/users/user_profile.php index 3501d69bb2..f331164220 100644 --- a/core/users/user_profile.php +++ b/core/users/user_profile.php @@ -17,7 +17,7 @@ The Initial Developer of the Original Code is Mark J Crane - Portions created by the Initial Developer are Copyright (C) 2008-2025 + Portions created by the Initial Developer are Copyright (C) 2008-2026 the Initial Developer. All Rights Reserved. Contributor(s): @@ -404,6 +404,16 @@ //create a one way hash for the user password $array['users'][$x]['password'] = password_hash($password, PASSWORD_DEFAULT, $options); $array['users'][$x]['salt'] = null; + + //remove remember me tokens + setcookie('remember', '', time() - 3600, '/'); + $sql = "update v_user_logs "; + $sql .= "set remember_selector = null, "; + $sql .= "remember_validator = null "; + $sql .= "where user_uuid = :user_uuid "; + $parameters['user_uuid'] = $user_uuid; + $database->execute($sql, $parameters); + unset($sql, $parameters); } $array['users'][$x]['user_email'] = $user_email; $array['users'][$x]['user_status'] = $user_status;