Disable automatic login feature when clicking on email confirmation links (!7472) · Merge requests · GitLab.org / GitLab FOSS

Brian Neel requested to merge disable-automatic-login-on-email-confirmation into master Nov 15, 2016

This is a patch for issue https://gitlab.com/gitlab-org/gitlab-ce/issues/24411.

GitLab automatically logs a user in when they click on an email confirmation link. This is dangerous as a stolen or sniffed confirmation token can be used to authenticate as that user without knowing a username or password.

This patch needs review as there is likely a reason this behavior was originally enabled.

@stanhu @MrChrisW

Edited Oct 29, 2021 by 🤖 GitLab Bot 🤖

Disable automatic login feature when clicking on email confirmation links

Merge request reports