MDL-50803 login: Remove token from URL in forgot password process

Store the token value in the session and redirect to self, thus removing the token from the URL and eliminating the problem where the token is exposed via the http referer header.
moodle · Sep 6, 2016 · f9c8cef · f9c8cef
1 parent d80dbeb
commit f9c8cef
Showing 1 changed file with 26 additions and 3 deletions.
diff --git a/login/forgot_password.php b/login/forgot_password.php
@@ -19,6 +19,14 @@
  *
  * Finds the user and calls the appropriate routine for their authentication type.
  *
+ * There are several pathways to/through this page, summarised below:
+ * 1. User clicks the 'forgotten your username or password?' link on the login page.
+ *  - No token is received, render the username/email search form.
+ * 2. User clicks the link in the forgot password email
+ *  - Token received as GET param, store the token in session, redirect to self
+ * 3. Redirected from (2)
+ *  - Fetch token from session, and continue to run the reset routine defined in 'core_login_process_password_set()'.
+ *
  * @package    core
  * @subpackage auth
  * @copyright  1999 onwards Martin Dougiamas  http://dougiamas.com
@@ -59,12 +67,27 @@
     redirect($CFG->wwwroot.'/index.php', get_string('loginalready'), 5);
 }
 
+// Fetch the token from the session, if present, and unset the session var immediately.
+$tokeninsession = false;
+if (!empty($SESSION->password_reset_token)) {
+    $token = $SESSION->password_reset_token;
+    unset($SESSION->password_reset_token);
+    $tokeninsession = true;
+}
+
 if (empty($token)) {
     // This is a new password reset request.
     // Process the request; identify the user & send confirmation email.
     core_login_process_password_reset_request();
 } else {
-    // User clicked on confirmation link in email message
-    // validate the token & set new password
-    core_login_process_password_set($token);
+    // A token has been found, but not in the session, and not from a form post.
+    // This must be the user following the original rest link, so store the reset token in the session and redirect to self.
+    // The session var is intentionally used only during the lifespan of one request (the redirect) and is unset above.
+    if (!$tokeninsession && $_SERVER['REQUEST_METHOD'] === 'GET') {
+        $SESSION->password_reset_token = $token;
+        redirect($CFG->wwwroot . '/login/forgot_password.php');
+    } else {
+        // Continue with the password reset process.
+        core_login_process_password_set($token);
+    }
 }