Vulnerability in EPiServer.Forms
Every time the subscription job (that sends e-mail to users that subscribe to receive updates in different sections of the Web site) runs, a user's MembershipUser.LastActivityDate seems to be set to the current datetime. This means that that MembershipUser.IsOnline will be true for all users after the job has run for as long as defined by the userIsOnlineTimeWindow-property on the membership provider in web.config. (Or even all the time if this jobb runs more frequent the the time period defined by userIsOnlineTimeWindow). Is this a bug in the subscription job code?
Take a peek with reflector. The subscription job sets a timestamp for when the subscriptionjob wa last run but if I rember correctly it's done on the subscriptioninfo objects. I can't recall seeing a date on the membership user.