Re: [security-dev] PLINK-84 - Login can be bypassed with any user after a first successful login

From what I understand from JIRA comments, the use case boils down to use of additional credentials after a successful authentication. I am thinking maybe the authentication process should register the type of credential last used and if subsequent login() calls happen on the identity, then a change of credential (via the credential.setCredential) should trigger an authentication process. Unless the credential type has changed, I am unsure why we need to perform another authentication when the user has already authenticated and the session is active. Thoughts/feedback? On 01/29/2013 08:28 AM, Bruno Oliveira wrote: