View Issue Details

IDProjectCategoryView StatusLast Update
0006009mantisbtsecuritypublic2016-11-18 05:29
Reporterw_moroz Assigned Tocproensa  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Target Version1.3.0-rc.2Fixed in Version1.3.0-rc.2 
Summary0006009: Cannot change password in second enter to verification page
Description

hi

my users reports me this as bug. When i change password for certain user, he receives an email with link to page where he can change his password. Some of users don't do this. They only click the link, and some time later click this link once again to change password. The link is innactive, because there is an md5 from login+pass+lastEnter. So, if he doesn't change his pass for the first time, i have to send him reminder once again. I think better would be to make this link innactive after changing pass, not only enter the page. Is a simple way to do this?

thanks in advance

Wojciech Moroz

TagsNo tags attached.

Relationships

related to 0006464 closedcproensa User Sign-up problem 
has duplicate 0021929 closedcproensa User Verification Link is being consumed before use 
related to 0020686 closedcproensa Make sure new users complete the registration process 
related to 0020816 closeddregad user verification / password reset allows setting of empty password 
child of 0004181 closed Features in Mantis 1.1 release 

Activities

thraxisp

thraxisp

2005-07-25 11:23

reporter   ~0010947

This has been improved in 1.0.0rc1, but not to the full extent you are recommending. The confirmation URL remails valid until the user leaves the password change page, but a check is not made to see if the password is updated.

w_moroz

w_moroz

2005-07-26 01:57

reporter   ~0010956

yes, that's true. Some of my users at first time only enters the password change page to check if thats really works and do not change pass. Do you have any idea to make such change to make this link invalid only after changing password?

thraxisp

thraxisp

2005-07-27 14:36

reporter   ~0010985

Changing the current scheme as you suggest would be difficult due to the way the code is partitioned. We can look at refining this in the next release.

Related Changesets

MantisBT: master d7b8d33e

2016-05-14 08:26

dregad


Details Diff
Manage the password reset hash as a token

Refactor verify.php to be a not-logged-in page (like login_page.php), so
the only action the user can do is change the password, and not navigate
into the site.

If the user does not change the password and quits the page, the
activation token remains valid until the change is effectively done (or
the token times out)

Fixes 0020686, 0006009, https://github.com/mantisbt/mantisbt/pull/735

Note: I reworded and reformatted some of the original commit messages.
Affected Issues
0006009, 0020686
mod - account_page.php Diff File
mod - account_update.php Diff File
mod - core/constant_inc.php Diff File
mod - core/user_api.php Diff File
mod - css/default.css Diff File
mod - lang/strings_english.txt Diff File
mod - lost_pwd.php Diff File
mod - verify.php Diff File