BUG - Changing password flagged as profile update

Hi, 

When members change their password, this shows up that they've "updated" their profile, when really, they have not. When matching is enabled this generates the typical cupid/match email but it shouldn't. It was only a password change. It should have nothing to do with their profile information. Can this be separated out into a separate block, like the privacy options?

Also when user simply hits save and changes absolutely nothing, this is also flagged as an updated profile. There should be some check to make sure something has changed. As well, there should be a limit of how many times a user's profile update triggers the cupid/match emails. 

If a member has 5k matches and changes their password, then sees they want to change some of their info, the system queues 10k emails. This would be considered spam as it's the same message over again which is necessary and can potentially lower the reputation of your mail server.

Thanks

Quote · 11 Apr 2013

This change require some structural changes, so we will try to implement it in future versions like 7.2 or 7.3:

http://www.boonex.com/trac/dolphin/ticket/3123

Rules → http://www.boonex.com/terms
Quote · 11 Apr 2013

Thanks for logging this.

Quote · 11 Apr 2013

What's even worse about it is that your password is changed immediately, whenever a lost password request comes in. This means if someone knows your email address, that person can block you from the site, until you entered your newly generated password!!

I just tested this on the demo site and if anyone was logged in during that time, should be able to confirm the above.

 

Ps. I just changed the password back to dolphin from the admin panel and people should be able to logon again!

Dedicated servers for as little as $32 (28 euro) - See http://denre.com for more information
Quote · 22 May 2013

 

What's even worse about it is that your password is changed immediately, whenever a lost password request comes in. This means if someone knows your email address, that person can block you from the site, until you entered your newly generated password!!

I just tested this on the demo site and if anyone was logged in during that time, should be able to confirm the above.

 

Ps. I just changed the password back to dolphin from the admin panel and people should be able to logon again!

 yes, another poorly designed function on dolphin. it's been reported/discussed a while ago. but I don't think they'll do anything about it.

Quote · 23 May 2013

what should be added to lost password request =

special word or phrase field that only the member knows and has set up in the member profile.
so if Email and special word or phrase match then send lost email request

 

is this easy to build you think???

Quote · 23 May 2013

 I think you need to make your own thread.

what should be added to lost password request =

special word or phrase field that only the member knows and has set up in the member profile.
so if Email and special word or phrase match then send lost email request

 

is this easy to build you think???

 

Quote · 27 May 2013

 

What's even worse about it is that your password is changed immediately, whenever a lost password request comes in. This means if someone knows your email address, that person can block you from the site, until you entered your newly generated password!!

I just tested this on the demo site and if anyone was logged in during that time, should be able to confirm the above.

 

Ps. I just changed the password back to dolphin from the admin panel and people should be able to logon again!

 Welcome to Dolphin, been like this for years! They don't seem to get it when we complain.

You can search the forums, this has been discussed till we just gave UP!

ManOfTeal.COM a Proud UNA site, six years running strong!
Quote · 27 May 2013

 

You can search the forums, this has been discussed till we just gave UP!

 

If the mountain won't come to muhammad muhammad will go to the mountain... And that is what I did, I have rewritten the forgot.php!

What my added code does when a request is made for a password change:

  1. It will store the new password + salt and an activation link  in newly added fields (New_Password, New_Salt and pwd_key).
  2. It sends an email with the password and activation link to the user
  3. The user clicks the (unique) activation link
  4. The user id and activation link are checked and if correct
    1. The new password and salt are copied to the Password and Salt fields
    2. The New_Password, New_Salt and pwd_key are emptied
  5. The user is logged in and redirected to the member page

This means the new password is only set when the user clicks the activation link and the activation link can only be used once.

I believe this to be basic functionality and am giving the code away for free. If Boonex wants to, they can also add the code to the official distribution of Dolphin. I've tested the code on my own configuration, without any issues.

If you have limited knowledge of databases and/or hosting I recommend to not use this package. I already spent too much time writing the code and cannot afford supporting this for free.

As always... before making changes, make a backup!!!

The attached zip file contains:

  • forgot.php
  • install.sql
  • example_mail (Password retrieval)

 

boonex_forgot.zip · 3.4K · 296 downloads
Dedicated servers for as little as $32 (28 euro) - See http://denre.com for more information
Quote · 27 May 2013

Unbelievable! Thanks so much. 

Quote · 28 May 2013

Denre,

I have been working on this part time for a couple days.

What I think would work better is , when you click the link in the email, it takes you to a page that allows you to enter a new password, rather than resetting your password to a random one.

I am thinking 2 inputs.  Password and verify password, then a submit button.  Once you submit, you'll get an email stating you changed your password, then you get to login with your new password.

Since you clicked the link, and the link only works once, I don't think captcha would be necessary on this page.

Denre, let me know if you want to do this or I can try to do this on Saturday (06-01-2013).

Thanks!

 

 

http://www.mytikibar.com
Quote · 31 May 2013

Hi Steve,

Good timing, I was just about to upload a more advanced forgot-password hack to the market!

I like your idea but think it's too complicated and can be done in a better way? Why not create a new password on the same form as you enter your email address? This would simplify the process and does not need much extra coding.

The new forgot.php I'm working on also respects site members privacy better than the current one. If you enter a non existing but valid email address, you no longer get a message that the emailaddress could not be found. If you know someone's emailaddress, currently it would be easy to find out if that person is a registered member, or not. This option can be set in the Advanced Settings general section.

Besides better privacy, it also comes with it's own email template and the confirmation URL is easier to add.

With regards to the proposed change, I should have this ready in a few hours.

 

Denre

 

 

Ps. for those interested, I have also added a bug-fixed map.html template for the World Map Module (with extra functionality that can be set in admin section) to the market (http://www.boonex.com/m/map-html-bug-fixed). The package can be downloaded for free!!

Dedicated servers for as little as $32 (28 euro) - See http://denre.com for more information
Quote · 31 May 2013

So you enter your email address, and a new password (with a confirmation of course), then you get a link in your email that acknowledges the password change and validates it?

I LIKE it!  That's different than the other ways you change your password.  I like that.

Just do NOT change the password UNTIL the confirmation link is clicked.

That will keep idiots from changing other peoples password.

PLEASE keep me informed!

http://www.mytikibar.com
Quote · 31 May 2013

OK, the new hack is "ready" and only needs cleaning up. I had some issues with the password check and in the end decided to write a new password check.

The new hack will work in the following way:

  1. Enter password, confirm password, email and ReCaptcha and submit the form
  2. You receive an email with a link to confirm the password change (currently the new password is also in the email)
  3. Click the link in the email and you're logged in automaticaly while the new password is set to active.

I'll try to get everything ready today but have a lot going on and can't promise it will be in the market before the end of the day. Anyway, when it is, I'll drop an other post in the topic.

 

Denre

Dedicated servers for as little as $32 (28 euro) - See http://denre.com for more information
Quote · 1 Jun 2013

Can this be used for 7.0.9 too?

I think its better to set the PW after the user clicked the link. otherwise people could believe the email incoming is by the system and activate it. Black hats triggering this PW reset also know the PW if the user click the link.

Check my GeoDistance, Watermark, TorBlock and Android Push Notifications mods | http://goo.gl/H3Vp81
Quote · 1 Jun 2013

 

Can this be used for 7.0.9 too?

I think its better to set the PW after the user clicked the link. otherwise people could believe the email incoming is by the system and activate it. Black hats triggering this PW reset also know the PW if the user click the link.

 That is a good point about the password. I just changed it and was going to upload it to the market. However, seen your point, I'll make it optional. It just means people have to wait till tomorrow for the package to be in the Market.

Since I'm doing this for free I'm not going to release it for earlier versions of the script but will update it for future versions. However, if you're willing to pay to get this implemented on your 7.0.9 version... Else upgrade to 7.1.2 Wink

 

If there are any other suggestions that would be helpful, please let me know. Making the "password set by the user" optional is the last thing I'll change before releasing this (by now) v1.1 release, but other things can be added for later releases!

 

 

Denre

Dedicated servers for as little as $32 (28 euro) - See http://denre.com for more information
Quote · 1 Jun 2013

I just decided to go a different way. I change the forgot routine so the user must enter email and username. so its unlikely to bring someone into trouble. that's easier for me.

Check my GeoDistance, Watermark, TorBlock and Android Push Notifications mods | http://goo.gl/H3Vp81
Quote · 1 Jun 2013

The suspense is killing me!

How much difference is it going to be to make it work with 7.0.9?

I'm stuck on it as I have spent WAY to much time with my own bug fixes and custom code.

http://www.mytikibar.com
Quote · 1 Jun 2013

OK, it has taken a while but I managed to make a module out of it, that can be installed using the FTP upload function and does not require any file modifications.

 

The module changes the behaviour of the password forgot function so that the person requesting a new password has to confirm the passwor change, before the new password is active. When the person clicks the link, he/she is logged in and does not need to login again with the new password!

For the confirmation message a new email template is added, that can be configured via the Admin panel, Settings, Email Templates.

Other options of this module include:
- Disable "Email not found" message (the message is a potential privacy leak)
- Option to let user create a new password instead of generating a new password (automatic generation of passwords is more secure)
- Redirect page (currently supported are account, profile and profile edit)

Installing the package is simple, just upload the package using the FTP option in Modules, Add & Manage. Select the module from the list of "Not installed modules" and click install.

By default the "Email not found" message is disabled, a temporary password is generated and the redirect page is "profile edit".

 

Because of the time I spent on it, I'm "charging" a symbolic fee of $1 (free for premium members), which I believe is fair and certainly worth it!

 

http://www.boonex.com/m/advanced-password-forgot

 

 

Denre

Dedicated servers for as little as $32 (28 euro) - See http://denre.com for more information
Quote · 6 Jun 2013
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.