John Posted October 15, 2016 Report Share Posted October 15, 2016 The 'Confirm Password Reset' page has two flaws in it. I am not sure if this is fixed in v4.0, if someone could confirm that as well, that would be great. 1. The page title is missing. It only displays the company name, and does not include $lang['ClientLogin.confirmreset.page_title'] in the title of the page. This is the only login type page that has this behavior. I checked 3 different Blesta installs, including the one at account.blesta.com, and they all had this issue. 2. The password reset link does not expire after one use. This could be an issue, because if someone has access to your email even for a minute, they can generate a link that will get them into your Blesta account forever. I did not test either of these issues with the staff interface, only the client interface. Quote Link to comment Share on other sites More sharing options...
Tyson Posted December 8, 2016 Report Share Posted December 8, 2016 Thanks for the report. On 10/15/2016 at 4:59 PM, John said: The 'Confirm Password Reset' page has two flaws in it. I am not sure if this is fixed in v4.0, if someone could confirm that as well, that would be great. 1. The page title is missing. It only displays the company name, and does not include $lang['ClientLogin.confirmreset.page_title'] in the title of the page. This is the only login type page that has this behavior. I checked 3 different Blesta installs, including the one at account.blesta.com, and they all had this issue. We'll take a look at the page title. On 10/15/2016 at 4:59 PM, John said: 2. The password reset link does not expire after one use. This could be an issue, because if someone has access to your email even for a minute, they can generate a link that will get them into your Blesta account forever. I did not test either of these issues with the staff interface, only the client interface. The password reset link included in an email is only accessible for a short period of time. By default, it is available for 4 hours and can be changed in the config file for 'Blesta.reset_password_ttl'. John 1 Quote Link to comment Share on other sites More sharing options...
Blesta Addons Posted December 8, 2016 Report Share Posted December 8, 2016 5 hours ago, Tyson said: The password reset link included in an email is only accessible for a short period of time. By default, it is available for 4 hours and can be changed in the config file for 'Blesta.reset_password_ttl'. But normally if the link was visited and password was change it should be removed and has no effect , thought no ? Quote Link to comment Share on other sites More sharing options...
Paul Posted December 8, 2016 Report Share Posted December 8, 2016 29 minutes ago, Blesta Addons said: But normally if the link was visited and password was change it should be removed and has no effect , thought no ? Probably, but I doubt there is any mechanism in place to invalidate the link currently. Quote Link to comment Share on other sites More sharing options...
activa Posted December 9, 2016 Report Share Posted December 9, 2016 It would be nice to see a 1 time link working ... John and Michael 2 Quote Link to comment Share on other sites More sharing options...
Paul Posted December 9, 2016 Report Share Posted December 9, 2016 I'd suggest posting this on https://requests.blesta.com to request that the password link expire after it's used. It's not a bug, but it is a good idea. evolvewh and John 2 Quote Link to comment Share on other sites More sharing options...
Tyson Posted December 9, 2016 Report Share Posted December 9, 2016 A one-time link assumes the user clicked it and actually changed their password. This would require that we log all user password changes, which is another feature in itself. The current TTL would still have to apply regardless. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.