Skip to content
  • Damyon Wiese's avatar
    MDL-63183 auth: Login protection · 8f3b93f6
    Damyon Wiese authored
    CSRF protection for the login form. The authenticate_user_login function was
    extended to validate the token (in \core\session\manager) but by default it
    does not perform the extra validation. Existing uses of this function from
    auth plugins and features like "change password" will continue to work without
    changes. New config value $CFG->disablelogintoken can bypass this check.