Skip to content

CP password expiration form usually has an expired key. #11261

New issue
New issue
Open
Open
CP password expiration form usually has an expired key.#11261
@jxr-koda

Description

@jxr-koda
jxr-koda
opened on Dec 16, 2024

Bug description

When the user is logged into the control panel but inactive, they will be logged out and shown a password entry dialogue box to log back in. That form contains a temporal hash. If the user waits too long to revisit the control panel, the hash in the password form will be expired and the first attempt to log back in will fail. In practice, this is the most common case as it's rare for a user to leave the control panel long enough to be logged out but return soon enough for the hash to be valid.

How to reproduce

Log in to the control panel. Leave the window open for a long time (I don't know exactly how long). Attempt to log in. Notice that your first attempt fails and you are prompted a second time.

Logs

No response

Environment

Environment
Application Name: AsbestosClaims.Law
Laravel Version: 11.35.1
PHP Version: 8.3.6
Composer Version: 2.7.1
Environment: local
Debug Mode: ENABLED
URL: asbestosclaims.law.test
Maintenance Mode: OFF
Timezone: UTC
Locale: en

Cache
Config: NOT CACHED
Events: NOT CACHED
Routes: NOT CACHED
Views: CACHED

Drivers
Broadcasting: log
Cache: file
Database: sqlite
Logs: stack / single
Mail: log
Queue: sync
Session: file

Sentry
Enabled: YES
Environment: local
Laravel SDK Version: 4.10.1
PHP SDK Version: 4.10.0
Release: NOT SET
Sample Rate Errors: 100%
Sample Rate Performance Monitoring: 100%
Sample Rate Profiling: NOT SET
Send Default PII: DISABLED

Statamic
Addons: 1
Sites: 2 (English, Español)
Stache Watcher: Enabled
Static Caching: Disabled
Version: 5.42.1 PRO

Statamic Addons
stillat/antlers-components: 2.4.0

Installation

Fresh statamic/statamic site via CLI

Additional details

There seem to be two potential solutions. First would be to remove the hash from the form entirely. This may be an option given that only the password is being transmitted and not their email address, which means the extra security of the hash may not be necessary.

Alternatively, instead of immediately prompting the user for their password, we could display a dialogue box with a single button that will subsequently bring up a fresh password form.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions