View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0016621mantisbtsignuppublic2013-11-14 12:192014-12-08 02:08
ReporterKaiSD Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.3.0dev 
Target Version1.3.0-beta.1 
Summary0016621: Problem with session when using signup and password reset
Description

I'm using Mantis 1.3 (currently, 5403f71c8f from github) on Hostgator shared hosting (PHP 5.3.27, MySQL 5.5.33, Apache 2.2.25).

I've encountered a problem with singup and password reset.
After clicking on the password reset link in the email, i see the account page with the following message:
"You are visiting a secure page, and your secure session has expired. Please authenticate yourself to continue."

It requires the current password to continue (and i don't have it).

Mantis 1.2.15 works just fine.

As experiment, i've tried to replace the verify.php file with the one from Mantis 1.2.15. Message does not appear, but i still can't reset the password, because mantis wants me to enter current password in order to set the new one (and i don't have the current password).

I'm not good at PHP and had very little luck trying to fix it myself.

Is it a Mantis's bug or the PHP configuration problem?

TagsNo tags attached.

Relationships

related to 0014486 closedvboctor Secure session login is false security while changing password does not require old password 

Activities

dregad

dregad

2013-11-14 13:19

developer   ~0038556

Thanks for the bug report.

This looks like a regression introduced by 0014486. I'll have a look later at how it can be fixed.

In the meanwhile as a workaround you can comment out the auth_reauthenticate() function in account_page.php (around line 80).
KaiSD

KaiSD

2013-11-14 13:32

reporter   ~0038557

Last edited: 2013-11-14 13:51

Thank you for the workaround.
Unfortunately, Mantis keeps asking for the current password to set the new one.

But, thanks to your advice, i've found a way to disable this check for now.

Related Changesets

MantisBT: master 51f6cae2

2013-11-14 09:48

dregad


Details Diff		 Do not reauthenticate user when verifying signup

Issue 0014486 introduced a regression, preventing users from verifying
their account creation as Mantis was requesting their current password,
which they can't possibly know.

Fixes 0016621		 Affected Issues
0014486, 0016621
mod - account_page.php Diff File
mod - account_update.php Diff File
mod - core/constant_inc.php Diff File
mod - verify.php Diff File