From bdac5a04bb9027ca54f96aad28e118d8990ff6f9 Mon Sep 17 00:00:00 2001
From: Janis Steiner <janis@jakach.ch>
Date: Mon, 31 Mar 2025 15:45:35 +0000
Subject: [PATCH] fixing vuln where someone could change his username after
 loging in and therefore login with any account

---
 app-code/api/login/set_username.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app-code/api/login/set_username.php b/app-code/api/login/set_username.php
index c726b35..8db9a80 100644
--- a/app-code/api/login/set_username.php
+++ b/app-code/api/login/set_username.php
@@ -1,5 +1,6 @@
 <?php
 session_start();
 $_SESSION["needs_auth"]=true;
+$_SESSION["logged_in"]=false;
 $_SESSION["username"]=preg_replace("/[^a-z0-9_]/","",$_POST["username"]);
 ?>