View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0004634mantisbtemailpublic2004-09-29 10:552004-12-11 03:02
Reporterdado Assigned To 
PrioritynormalSeverityblockReproducibilityrandom
Status closedResolutionduplicate 
Product Version0.19.0 
Summary0004634: User-Password reset & verify
Description

My engl. is not the best but i try to describe my Problem:

  1. Administrator resets password for User Xy
  2. Mail to User with following verification URL

http://www.server.de/mantis/verify.php?id=4&confirm_hash=edf6bdfa08f56f30cc8030c299179b38

  1. Modify "verify.php" for debuging:

//---------------------------------------------------------
// MY DEBUG CODE
echo "--> ". $f_confirm_hash ." <--> ". $t_calculated_confirm_hash." <-";

// YOUR HASH CHECK
if ( $f_confirm_hash != $t_calculated_confirm_hash ) {
trigger_error( ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID, ERROR );
}
//---------------------------------------------------------

  1. Klick to URL & server response 2 different hashs:

--> edf6bdfa08f56f30cc8030c299179b38 <--> 5dc3fb2309d863403a5996a424854ccc <-

  1. try this 3x:

URL:
1x...mantis/verify.php?id=4&confirm_hash=0f914c339ccfea0d926f5c116e9a789c
2x...mantis/verify.php?id=4&confirm_hash=5d2664151183b50498932b17220b075c
3x...mantis/verify.php?id=4&confirm_hash=9df0f24cae2c3723cea25312556c884c

Server:
1x APPLICATION ERROR #1901
2x APPLICATION ERROR #1901
3x APPLICATION ERROR #1901

My debug:
1x--> 0f914c339ccfea0d926f5c116e9a789c <--> ea844ea2bf23704ac6c4d977ceb582fe <-

2x--> 5d2664151183b50498932b17220b075c <--> b1ae52a50d2725f97433ca9460fec800 <-

3x--> 9df0f24cae2c3723cea25312556c884c <--> bee7814232ef32d52524aad91a6618aa <-

... I think you use different functions when reset and when verify...

thanks
Danijel

TagsNo tags attached.

Relationships

duplicate of 0004952 closedthraxisp some issues with script authentication support 

Activities

masc

masc

2004-09-30 03:13

reporter   ~0007839

The behaviour you described is acknowledged and I was able to reproduce it on my installation. It's not due to the lost password function but it's an autentication cookie issue.
I try to explain:

  • if you open a new browser window and use the lost password function, it works fine.
  • if you logout from a user session and then you ask the lost password reset for the same user previously logged in, it doesn't work.
    The problem is due to the fact the logout it's not a real logout and the old user is considered still logged in (in my installation after logout I still able to navigate the issues).

We need to check the logout function.
jlatour

jlatour

2004-12-09 14:08

reporter   ~0008564

Is this related to 0004952?
masc

masc

2004-12-09 15:26

reporter   ~0008567

I think this issue is based exactly on what it explained in 0004952