#27331 closed defect (bug) (duplicate)
WordPress Login Page Security Issue
Reported by: | hardeepasrani | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Security | Keywords: | |
Focuses: | administration | Cc: |
Description
I don't know whether it's a bug or there's a reason behind this, but I found it a security issue.
The Issue
If you're logged into your self-hosted WordPress website as an admin or any role, you will still see the login page & you can login again to any account.
I think if a user is already logged in then he should be redirected back to the admin panel (or any other page), but the login page.
Why it's an issue
Just suppose a user is using his WP site (as admin) on a public computer, then he somehow gets to login page (by clicking on the link) & sees that he is already logged out (even when he's logged in) because he can see the login page. So, now he thinks that he's been logged out, but he is still logged in.
So, I think a logged in user should either redirected back to admin panel or he has to fill the login details again to sign in.
What's your thoughts?
Duplicate of #14949.