mirror of
https://github.com/moodle/moodle.git
synced 2025-01-18 22:08:20 +01:00
6dfe428363
CSRF protection for the login form. The authenticate_user_login function was extended to validate the token (in \core\session\manager) but by default it does not perform the extra validation. Existing uses of this function from auth plugins and features like "change password" will continue to work without changes. New config value $CFG->disablelogintoken can bypass this check.