New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Password reset token is reusable #291

Open
mathewberry opened this Issue Mar 7, 2017 · 3 comments

Comments

Projects
None yet
3 participants
@mathewberry

mathewberry commented Mar 7, 2017

For support, please use our forums: http://forums.sentora.org/, you can search for solutions there.
Feel free to open a new question if none of the threads solve your problem.
Please, do NOT use this issue tracker for support.

For bug reports please provide the following information:

Operating System: Ubuntu

Operating System Version number: 14.04

Sentora Version: 1.0.3

Issue: password reset token is reusable

How to reproduce it: simply click "forgot password" goto your email, click the link and reset your password. Once this is done just test that your password has changed then click the link in the email again and it should let you change the password.

Suggested fix or solution if you have any: delete the token as soon as the password is changed then generate a new token everytime a password reset request is made.

Thank you on the behalf of the Sentora Team.

V 0.0.2

@TGates71

This comment has been minimized.

Show comment
Hide comment
@TGates71

TGates71 Mar 8, 2017

Member

Hmmm... should be a simple fix. Could be a typo in there somewhere that is not removing the old token.
Thanks for the input!

Member

TGates71 commented Mar 8, 2017

Hmmm... should be a simple fix. Could be a typo in there somewhere that is not removing the old token.
Thanks for the input!

@TGates71 TGates71 added the bug label Mar 8, 2017

@TGates71

This comment has been minimized.

Show comment
Hide comment
@TGates71

TGates71 Mar 8, 2017

Member

Tested. The hash is removed after entering new password.
Password does not get reset the second time.
Need to show invalid hash or other error if not exists and redirect to login screen.

Member

TGates71 commented Mar 8, 2017

Tested. The hash is removed after entering new password.
Password does not get reset the second time.
Need to show invalid hash or other error if not exists and redirect to login screen.

@MBlagui MBlagui added this to the 1.0.5 milestone Mar 9, 2017

@MBlagui

This comment has been minimized.

Show comment
Hide comment
@MBlagui

MBlagui Mar 9, 2017

Contributor

We will check so we send a smooth error.

Contributor

MBlagui commented Mar 9, 2017

We will check so we send a smooth error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment