You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When the user is logged into the control panel but inactive, they will be logged out and shown a password entry dialogue box to log back in. That form contains a temporal hash. If the user waits too long to revisit the control panel, the hash in the password form will be expired and the first attempt to log back in will fail. In practice, this is the most common case as it's rare for a user to leave the control panel long enough to be logged out but return soon enough for the hash to be valid.
How to reproduce
Log in to the control panel. Leave the window open for a long time (I don't know exactly how long). Attempt to log in. Notice that your first attempt fails and you are prompted a second time.
There seem to be two potential solutions. First would be to remove the hash from the form entirely. This may be an option given that only the password is being transmitted and not their email address, which means the extra security of the hash may not be necessary.
Alternatively, instead of immediately prompting the user for their password, we could display a dialogue box with a single button that will subsequently bring up a fresh password form.
The text was updated successfully, but these errors were encountered:
Bug description
When the user is logged into the control panel but inactive, they will be logged out and shown a password entry dialogue box to log back in. That form contains a temporal hash. If the user waits too long to revisit the control panel, the hash in the password form will be expired and the first attempt to log back in will fail. In practice, this is the most common case as it's rare for a user to leave the control panel long enough to be logged out but return soon enough for the hash to be valid.
How to reproduce
Log in to the control panel. Leave the window open for a long time (I don't know exactly how long). Attempt to log in. Notice that your first attempt fails and you are prompted a second time.
Logs
No response
Environment
Installation
Fresh statamic/statamic site via CLI
Additional details
There seem to be two potential solutions. First would be to remove the hash from the form entirely. This may be an option given that only the password is being transmitted and not their email address, which means the extra security of the hash may not be necessary.
Alternatively, instead of immediately prompting the user for their password, we could display a dialogue box with a single button that will subsequently bring up a fresh password form.
The text was updated successfully, but these errors were encountered: