View Issue Details

IDProjectCategoryView StatusLast Update
0006009mantisbtsecuritypublic2016-11-18 05:29
Reporterw_morozAssigned Tocproensa 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version 
Target Version1.3.0-rc.2Fixed in Version1.3.0-rc.2 
Summary0006009: Cannot change password in second enter to verification page
Description

hi

my users reports me this as bug. When i change password for certain user, he receives an email with link to page where he can change his password. Some of users don't do this. They only click the link, and some time later click this link once again to change password. The link is innactive, because there is an md5 from login+pass+lastEnter. So, if he doesn't change his pass for the first time, i have to send him reminder once again. I think better would be to make this link innactive after changing pass, not only enter the page. Is a simple way to do this?

thanks in advance

Wojciech Moroz

TagsNo tags attached.

Relationships

related to 0006464 closedcproensa User Sign-up problem 
has duplicate 0021929 closedcproensa User Verification Link is being consumed before use 
related to 0020686 closedcproensa Make sure new users complete the registration process 
related to 0020816 closeddregad user verification / password reset allows setting of empty password 
child of 0004181 closed Features in Mantis 1.1 release 

Activities

thraxisp

thraxisp

2005-07-25 11:23

reporter   ~0010947

This has been improved in 1.0.0rc1, but not to the full extent you are recommending. The confirmation URL remails valid until the user leaves the password change page, but a check is not made to see if the password is updated.

w_moroz

w_moroz

2005-07-26 01:57

reporter   ~0010956

yes, that's true. Some of my users at first time only enters the password change page to check if thats really works and do not change pass. Do you have any idea to make such change to make this link invalid only after changing password?

thraxisp

thraxisp

2005-07-27 14:36

reporter   ~0010985

Changing the current scheme as you suggest would be difficult due to the way the code is partitioned. We can look at refining this in the next release.

Related Changesets

MantisBT: master d7b8d33e

2016-05-14 12:26:34

dregad

Details Diff
Manage the password reset hash as a token

Refactor verify.php to be a not-logged-in page (like login_page.php), so
the only action the user can do is change the password, and not navigate
into the site.

If the user does not change the password and quits the page, the
activation token remains valid until the change is effectively done (or
the token times out)

Fixes 0020686, 0006009, https://github.com/mantisbt/mantisbt/pull/735

Note: I reworded and reformatted some of the original commit messages.
mod - account_page.php Diff File
mod - account_update.php Diff File
mod - core/constant_inc.php Diff File
mod - core/user_api.php Diff File
mod - css/default.css Diff File
mod - lang/strings_english.txt Diff File
mod - lost_pwd.php Diff File
mod - verify.php Diff File

Issue History

Date Modified Username Field Change
2005-07-25 08:50 w_moroz New Issue
2005-07-25 11:23 thraxisp Note Added: 0010947
2005-07-25 11:23 thraxisp Status new => feedback
2005-07-26 01:57 w_moroz Note Added: 0010956
2005-07-27 14:36 thraxisp Note Added: 0010985
2005-07-27 14:36 thraxisp Status feedback => acknowledged
2005-07-27 14:36 thraxisp Relationship added child of 0004181
2016-03-13 20:40 cproensa Relationship added related to 0020686
2016-04-17 11:51 cproensa Relationship added related to 0006464
2016-04-17 12:16 cproensa Relationship added related to 0020816
2016-04-17 13:13 cproensa Assigned To => cproensa
2016-04-17 13:13 cproensa Status acknowledged => assigned
2016-05-14 12:30 dregad Changeset attached => MantisBT master d7b8d33e
2016-05-14 12:30 dregad Assigned To cproensa => dregad
2016-05-14 12:30 dregad Status assigned => resolved
2016-05-14 12:30 dregad Resolution open => fixed
2016-05-14 12:30 dregad Fixed in Version => 1.3.0-rc.2
2016-05-14 12:37 dregad Assigned To dregad => cproensa
2016-05-14 12:37 dregad Target Version => 1.3.0-rc.2
2016-05-14 12:37 dregad Summary cannot change password in second enter to page => Cannot change password in second enter to verification page
2016-06-12 00:42 vboctor Status resolved => closed
2016-11-18 05:29 cproensa Relationship added has duplicate 0021929