I just noticed in a thread somewhere that someone stayed logged in and they were talkin some stuff about changin his password and whatnot. I also noticed that you don't got to do anything to change it.If you had it where they can't change it without entering the current password this would prevent them from being able to change it even if someone else forgot to log out.Another thing I noticed is as follows:I log in with my computer and with another computer. Then I change the password with one computer, log out on it and log back in. The other computer still seems to be able to navigate without any problem even though the password is changed. What I'm sayin is that I assume that the password is not stored as a temporary cookie on the user's system. Now if it was, and if every time an action took place the password and user name pair were compared to what is in the database, after I change my password on one computer, I wouldn't be able to do anything with the other computer because when I go somewhere it would retrieve the cookies and compare it with what was in the database, and realizing that they are no longer the same, log me out automatically. The idea behind something like that would be if I forgot to log out somewhere and I didn't want anyone else screwin with the account, I could just go to another computer and change the password there so that when they navigate around, the password stored on that computer would no longer match. Of course that would probably be hell to implement and it would be so much easier just to make sure to log out.
11/4/2001 6:20:07 PM
how about something simpler? just require the user to give the old password when they change the password.and log out when you leave your computer[Edited on November 4, 2001 at 8:54 PM. Reason : .]
11/4/2001 8:51:13 PM