Password reset oddities

Details

Type: Bug
Status: Resolved
Priority: Normal
Resolution: Cannot Reproduce
Version/s: Einstein release
Labels:

Description

While testing the sign-up process on albert I noticed the following:

if you use the password reset feature and the subsequent one-time login you get via email, clicking that link won't log you out of an existing session. This sounds exotic but might happen on multi-user machines. It's at least confusing. So, please make sure that link causes a log out before it re-logs you in.
trying the before (after a manual log out of my admin account) the PW reset form asked for my current PW - doesn't make sense Didn't we have that issue before?
also, please confirm that the one-time login link takes you to the PW reset form right away

Thanks!

Issue Links

is related to

DBOINCP-436 More secure email change

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Shawn Kwang added a comment - 06/Jun/18 4:33 PM

if you use the password reset feature and the subsequent one-time login you get via email, clicking that link won't log you out of an existing session. This sounds exotic but might happen on multi-user machines. It's at least confusing. So, please make sure that link causes a log out before it re-logs you in.

The current behavior is: User A receives a one-time login link. Then goes to a Browser window/sesion where User B is currently logged in. Then User A copy-and-pasts the login link into the browser. The result is that User B is still logged in.

trying the before (after a manual log out of my admin account) the PW reset form asked for my current PW - doesn't make sense Didn't we have that issue before?

We have had this issue before. The problem is that there is no way to reset the password (currently) without entering your current password. This obviously needs to change.

also, please confirm that the one-time login link takes you to the PW reset form right away

It does not. In fact these points could be combined.

Future behavior: The one-time link takes you to a password-reset page, where your current password is not required. Then you reset your password before continuing on your way.

If any user (even the current user) is currently logged in when the one-lime link is activated, it destroys the current user session first, thus log out whomever is currently logged-in. Then the workflow continues as above.

Show

Shawn Kwang added a comment - 06/Jun/18 4:33 PM if you use the password reset feature and the subsequent one-time login you get via email, clicking that link won't log you out of an existing session. This sounds exotic but might happen on multi-user machines. It's at least confusing. So, please make sure that link causes a log out before it re-logs you in. The current behavior is: User A receives a one-time login link. Then goes to a Browser window/sesion where User B is currently logged in. Then User A copy-and-pasts the login link into the browser. The result is that User B is still logged in. trying the before (after a manual log out of my admin account) the PW reset form asked for my current PW - doesn't make sense Didn't we have that issue before? We have had this issue before. The problem is that there is no way to reset the password (currently) without entering your current password. This obviously needs to change. also, please confirm that the one-time login link takes you to the PW reset form right away It does not. In fact these points could be combined. Future behavior: The one-time link takes you to a password-reset page, where your current password is not required. Then you reset your password before continuing on your way. If any user (even the current user) is currently logged in when the one-lime link is activated, it destroys the current user session first, thus log out whomever is currently logged-in. Then the workflow continues as above.

Hide

Permalink

Shawn Kwang added a comment - 07/Jun/18 7:18 PM

Update: GitHub PR 2552 will fix some of the problem, namely when a user logs in via a one-time link, they are not sent to the password change form. (This was the past behavior until the terms-of-use merge). The bug is actually a regression.

Show

Shawn Kwang added a comment - 07/Jun/18 7:18 PM Update: GitHub PR 2552 will fix some of the problem, namely when a user logs in via a one-time link, they are not sent to the password change form. (This was the past behavior until the terms-of-use merge). The bug is actually a regression.

Hide

Permalink

Oliver Behnke added a comment - 08/Jun/18 8:17 AM

Since this is rather important I went ahead and reviewed, merged and deployed the fix on both sites. Please verify and proceed.

Thanks!

Show

Oliver Behnke added a comment - 08/Jun/18 8:17 AM Since this is rather important I went ahead and reviewed, merged and deployed the fix on both sites. Please verify and proceed. Thanks!

Hide

Permalink

Shawn Kwang added a comment - 08/Jun/18 2:17 PM

I believe the password reset functionality is working. The outstanding problem is if a user needs to change his/her password and has not agreed to the TOU. Then instead of being re-directed to the User credentials edit page, where s/he can change his/her password without entereing their current password, they are redirected to the terms-of-use agreement form.

Afterwards they cannot change their password without entering their current password, which they do not have.

Show

Shawn Kwang added a comment - 08/Jun/18 2:17 PM I believe the password reset functionality is working. The outstanding problem is if a user needs to change his/her password and has not agreed to the TOU. Then instead of being re-directed to the User credentials edit page, where s/he can change his/her password without entereing their current password, they are redirected to the terms-of-use agreement form. Afterwards they cannot change their password without entering their current password, which they do not have.

Hide

Permalink

Oliver Behnke added a comment - 11/Jun/18 12:35 PM

Ok. Do you already have a way to resolve that which only needs implementation or do we still need to design something?

Show

Oliver Behnke added a comment - 11/Jun/18 12:35 PM Ok. Do you already have a way to resolve that which only needs implementation or do we still need to design something?

Hide

Permalink

Shawn Kwang added a comment - 11/Jun/18 2:06 PM

Do you already have a way to resolve that which only needs implementation or do we still need to design something?

It's being worked on as part of ~~DBOINCP-436~~.

Show

Shawn Kwang added a comment - 11/Jun/18 2:06 PM Do you already have a way to resolve that which only needs implementation or do we still need to design something? It's being worked on as part of DBOINCP-436 .

Hide

Permalink

Shawn Kwang added a comment - 19/Jul/18 5:04 PM

Resolving, as the password-reset functionality should be working. Last bugs in ~~DBOINCP-436~~ deal with email changes only.

Show

Shawn Kwang added a comment - 19/Jul/18 5:04 PM Resolving, as the password-reset functionality should be working. Last bugs in DBOINCP-436 deal with email changes only.

People

Assignee:

Shawn Kwang

Reporter:

Oliver Behnke

Vote (0)

Watch (1)

Dates

Created:

25/May/18 2:32 PM

Updated:

19/Jul/18 5:04 PM

Resolved:

19/Jul/18 5:04 PM

Agile

View on Board