Minor Description
Regarding the authentication cache:
Use case (provided Sergiu):
- Ana Blandiana has password P1
- Black Hat steals Ana's password and logs in the wiki, and starts messing things
- John Root sees this and tells Ana to change her password immediately
- Ana changes her password to P2, but Black Hat can continue to make changes, since the password is not checked again
Solution 1: have an event launched when the password is changed so that the user logged with that specific account needs to re-login.
Solution 2: Don't log out the user. Just provide the notification change message and as a security method sent a notification message that the password has changed to the user's provided e-mail (that if the e-mail wasn't changed too)