Security Issue: It is possible to access a restricted page without having to enter a password, when a different restricted page uses the same password.

[Reispfannenfresser]

trafficstars

Describe the bug Setting the same password on two separate restricted game pages, allows accessing both, once the password for one was entered.

To Reproduce

1. Create two game pages.
2. Go to both games settings and adjust the Restricted access settings, to allow accessing the page using a password.
3. Set the same password for both games.
4. Save the links to the games and the password somewhere for later use.
5. Clear your browser data and go to the first of the two pages.
6. You are asked to enter a password. Enter the password you set.
7. Go to the second game page. You can access it without entering a password.

Expected behavior I expected the second game page to ask me for a password also.

Desktop (please complete the following information):

• OS: 5.15.150-1-MANJARO x86_64 GNU/Linux
• Browser: Firefox
• Version 124.0.1 (64-bit)

Additional context This might only apply to games that were uploaded by the same account. I have not tested what happens if the games were uploaded from different accounts.

Using the same password is not a good idea anyways and this may even be intended behavior.

[leafo]

The way it works is that the last password you typed is stored in your browser's session, and any password protected project page (or sub page) you access will check if the last entered password is correct. If it's valid it shows you the page, if it's not then it prompts for password.

We probably won't change this at this time, my recommendation is to use a more unique password.