Password Reset Link Redirect Back To Login Page

[chanx-young]

hello, i've update blesta to 3.4.2 but when my client request password reset, he receive the password reset mail with the password reset link inside. but when he click on that link, the page go to login page not the password reset page.

anything i should check?

 

thank you

[chanx-young]

I had a similar issue.  Make sure your company settings are correct.  In my case it had to include the www.  Even though the domain is setup to point with or without www the hostname of the server and the setup in Blesta in my case are www and it would not work without it.

 

In the email template if you are using SSL then make sure it says https:// and not http:// or it will not work correctly

Thank you very much, you saved my day.

And you're right, i have redirect all call to my website to www so i have to set hostname to www.domain.com

and in email template i have to edit link(not just the shown text) to https://

 

maybe suggestion to developer to make this setting easier.

 

thanks

[serge]

try to edit email template to correct it, go at system/email/....

[chanx-young]

what i need to edit?

[serge]

from admin area, go in menu, Settings / emails / email template

 

there edit appropriate template to check it

[Tyson]

Chances are the {password_reset_url} tag in the "Password Reset" email template (found under [settings] -> -> -> (edit Password Reset)) is including a malformed or incorrect URL. It might be that your company hostname is incorrect. You can find and update the hostname under [settings] -> [system] -> [Companies] -> (edit).

 

You could try to have a password reset email sent to you for your staff account to check if the link in that email is incorrect as well. It would be best to see what the URL of the link in the email is to determine the problem.

[chanx-young]

i can't find any error.

my password reset link is at https://www.domain.com/client/login/reset/

password reset confirmation link is at http://domain.com/client/login/confirmreset/?sid=hilnXxfw%2FbRW2tPOtBTG7BKjeV9%2B61qCXpNrDk7ZUnsolzPrxw7Knpg3rsrcAp5J

 

but when i clicked that link it goes to https://www.domain.com/client/login/

[Tyson]

The links look fine to me. Have you attempted to reset your password so you can check the email you receive? If so, does the link work?

 

If the link is fine, your customer probably clicked an old reset password link. The links are only valid for a short time (e.g. 4 hours). If the link is no longer valid when they visit it, they would be redirected to the login page. In that case, they should enter their email address on the reset password page to receive another email, and then check their email within those 4 hours.

[chanx-young]

i did that on my own, i clicked the link just after i received the confirmation email so that before 4 hours. but just redirected to login page.

i tried that on licensecart. but his installation seems no problem.

on mine before update is okay, dont know is it because of update or not.

[Michael]

i did that on my own, i clicked the link just after i received the confirmation email so that before 4 hours. but just redirected to login page.

i tried that on licensecart. but his installation seems no problem.

on mine before update is okay, dont know is it because of update or not.

 

Are you using cPanel can you check your cron job if it is? It should be /usr/local/bin/php

[chanx-young]

the cron is running good, still can't figured it out what happened, could somebody help me?

 

look like there is problem with redirection in login page. am i right?

[Michael]

the cron is running good, still can't figured it out what happened, could somebody help me?

 

look like there is problem with redirection in login page. am i right?

 

Does the direct url work fine? Without knowing the set-up we can only guess.

[chanx-young]

hello. i try to edit app/controllers/clien_login.php

/**
	 * Confirm password reset
	 */
	public function confirmReset()  {

		$this->uses(array("Clients"));

		// Verify parameters
		if (!isset($this->get['sid']))
			$this->redirect($this->base_uri . "login/");
		
		$params = array();
		$temp = explode("|", $this->Clients->systemDecrypt($this->get['sid']));
		//print_r($temp);
		//if (count($temp) <= 1)
		//	$this->redirect($this->base_uri . "login/");
		
		foreach ($temp as $field) {
			$field = explode("=", $field, 2);
			$params[$field[0]] = $field[1];
		}
		
		// Verify reset has not expired
		//if ($params['t'] < strtotime("-" . Configure::get("Blesta.reset_password_ttl")))
			//$this->redirect($this->base_uri . "login/");
			
		// Verify hash matches
		//if ($params['h'] != substr($this->Clients->systemHash('u=' . $params['u'] . '|t=' . $params['t']), -16))
			//$this->redirect($this->base_uri . "login/");
		
		// Attempt to update the user's password and log in
		if (!empty($this->post)) {
			
			$client = $this->Clients->getByUserId($params['u']);
			$user = $this->Users->get($params['u']);
			
			if ($user && $client && $client->status == "active") {
				// Update the user's password
				$this->Users->edit($params['u'], $this->post);
				
				if (!($errors = $this->Users->errors())) {
					$this->post['username'] = $user->username;
					$this->post['password'] = $this->post['new_password'];
					$this->post['ip_address'] = (isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : "");
					
					// Attempt to log user in
					$this->Users->login($this->Session, $this->post);
					
					$this->forwardPostAuth();
				}
				else
					$this->setMessage("error", $errors);
			}
		}
	}

i comment out 3 verification :

1. if (count($temp) <= 1)

2. Verify reset has not expired

3. Verify hash matches

 

and the pages go to ask for new password like it should have.

wonder what is sid content.

 

try to print_r($temp) but just [Array ( [0] => )

 

do that mean the sid is not valid? or it can't be decrypt?

[skywerx]

I had a similar issue.  Make sure your company settings are correct.  In my case it had to include the www.  Even though the domain is setup to point with or without www the hostname of the server and the setup in Blesta in my case are www and it would not work without it.

 

In the email template if you are using SSL then make sure it says https:// and not http:// or it will not work correctly