SS-2016-014: Pre-existing alc_enc cookies log users in if remember me is disabled

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: Low (?)
Identifier:: ss-2016-014
Versions Affected:: 3.1.19, 3.2.4, 3.3.2. 3.4.0
Versions Fixed:: 3.1.20, 3.2.5, 3.3.3. 3.4.1
Release Date:: 2016-08-15

If remember me is on and users log in with the box checked, if the developer then disabled "remember me" function, any pre-existing cookies will continue to authenticate users.

Reported by Patrick Nelson - https://catchyour.com/