Login feature still visible even when being logged in

[Jock3r]

Hello,

I am using IPS 4.4.10 and I have noticed that you can still visit and see the login page even though I am already logged into my account. I believe that this should not be possible? Like make a check that checks if the user is already logged and if they are to display an error.

[bfarber]

Don't manually go to the page then if you don't want to see it? I don't think there's really any need to invest limited development time into this personally.

[Jock3r]

Well, I am using a plugin that adds recaptcha on login page. That specific page that is visible when not being logged has the recaptcha, on the other hand the one when you are logged in does not have it, therefore it's a security risk.

[Day_]

2 minutes ago, Jock3r said:

Well, I am using a plugin that adds recaptcha on login page. That specific page that is visible when not being logged has the recaptcha, on the other hand the one when you are logged in does not have it, therefore it's a security risk.

How is that a security risk if they have already passed recaptcha and logged in?

[Jock3r]

1 minute ago, day_ said:

How is that a security risk if they have already passed recaptcha and logged in?

That way people can use that specific page to bruteforce without captcha.

[bfarber]

I would suggest you should update your plugin then? What you are saying is you wrote a plugin that changes how the login page works, however once someone logs in your plugin is no longer doing that. That's not really a deficiency in the core software release.

[Jock3r]

Well, that was mostly because I wasn't aware that such a thing happened. I will push an update myself then, but still believe that this shouldn't be possible from IPS side. Just letting people know.