When changing your password it updates the mybbuser cookie, but doesn't use the "httponly" parameter like other places do (such as when you login). This results in the mybbuser cookie being able to be accessed from javascript.
![[Image: x1LoCYU.png]](https://camo.mybb.com/96b5dea1d0882c90762402935c40dbfec2b73b6a/68747470733a2f2f692e696d6775722e636f6d2f78314c6f4359552e706e67)
Link to line causing issue.
Hi,
Thank you for your report. We have pushed this issue to our Github repository for further analysis where you can track our commits and progress with fixing this bug. Discussions regarding this bug may also take place there too.
Follow this link to visit the issue on Github:
https://github.com/mybb/mybb/issues/2705
Thanks for contributing to MyBB!
Regards,
The MyBB Group