This week's book giveaway is in the Agile and Other Processes forum.
We're giving away four copies of DevSecOps Adventures: A Game-Changing Approach with Chocolate, LEGO, and Coaching Games and have Dana Pylayeva on-line!
See this thread for details.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Devaka Cooray
  • Tim Cooke
Sheriffs:
  • Rob Spoor
  • Liutauras Vilda
  • paul wheaton
Saloon Keepers:
  • Tim Holloway
  • Tim Moores
  • Mikalai Zaikin
  • Carey Brown
  • Piet Souris
Bartenders:
  • Stephan van Hulst

recover password: bug with multiple account with same password

 
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I just noticed the following bug:

If there is more than one account with the same email address then password recovery doesn't work correctly and show and
"invalid data" when entering the new password.

To be specific:

The email is send correctly with the right address, but when entering the email address and the new password I get an error.

Maybe it works on the first account, my guess it that there is an SQL request looking for the account based on the email which returns the bad account.


I looked in jira I didn't found any issue that seemed to fit my symptoms, so my guess is that the bug is still. I'm using 2.1.4

[originally posted on jforum.net by pala]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
How do you suggest it should work?

Rafael
[originally posted on jforum.net by Rafael Steil]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have no precise idea about that.

For sure it should 1) work 2) work with multiple accounts

3) The user must be able to know for which account he is changing the password.

you should put the account number somewhere in the url sent to the user, if you really want to double check that ask for the email or the account and compare to the hidden info in the mail.

I don't really know how it is working now.

of course the url should not be guessable in anyway to avoid hacks.

another thing that would be good is to send a mail for each account if the user try to recover his account by putting his email address.


[originally posted on jforum.net by pala]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I can see the use in having multiple accounts with 1 email address for admins...but not really for regular users, tho I'm a newbie to forums.

for what situation will users need that?

[originally posted on jforum.net by ken0]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
well that's not really the point, of course a workaround would be to forbid multiple account on the same email. I don't feel it is good to add a limitation just to avoid a little bug that should be easy to correct.
[originally posted on jforum.net by pala]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
you're right, the code must not be taking that situation into account.

I guess anyone could grab another email account and participate as multiple users on a forum, so however much it creeps me out as an admin is moot.

and not really the point

cheers
[originally posted on jforum.net by ken0]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This subject is moving to "multiple account single email topic" now apparently.

Remember that you can chose not to check the email, in that case creating lots of bogus adresses is really easy, just type it.

On the other hand I have a case where there a legitimate multiple account/email:

My forum is a forum for a game, some people tend to use the forum as an extension to the game so they login as their game's character. Some may have multiple character in the game and so have multiple accounts on the forum.

I guess that what we are asking is.

-bugless password recovery
-checkbox in admin panel to say "no duplicate email"

Raphael: I didn't put the bug in JIRA since I have only version 2.1.4 If you confirm that it still stands in 2.1.6 I can had it, if you haven't already done that.

[originally posted on jforum.net by pala]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
A good reason to not allow multiple accounts with the same email is for security .. or to keep people off that are abusing or spamming your forum.

By making them use a different email address with each new username on the forum, it makes it harder for spammers and/or abuses to create multiple new accounts to log in under - they have to use up an email account for each one. Does this keep them from doing it? No, but it does make them expend more effort to keep coming back.

Personally, I think there should NOT be multiple accounts tied to a single email, and the system should prevent someone from changing their email to one that is already used in the system.

[originally posted on jforum.net by GatorBait3]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
:roll:
[originally posted on jforum.net by GatorBait3]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
as if i knew what I were talking about, I think the confusion here is that we're really discussing a design choice (uid=email addr) where no error condition has been coded apparently to deal with your situation.

So tho it is and isn't a bug, I now see your point in wishing to have that feature. Maybe other forums have it too.

Your request to make that an option sounds great.



<edit>...I guess it is not uid=email, and tho I could look in the code was just trying to say it will probably take some bit of re-design</edit>
[originally posted on jforum.net by ken0]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well...

If you don't know your username, you will insert the email address to recover the password. And that's where the problem lives.

If you don't know your username, the system will check the provided email and register a securityHash to the record, and then an email will be sent tot he address.

If you have multiple accounts under the same email address, the system will use the first matching record.

A possible solution is to show all usernames related to that email account and ask the user to choose the one he wants to recorver. That should fix the "problem".

On the other hand, coulnd't this be considered some sort of securty flaw then?

Rafael
[originally posted on jforum.net by Rafael Steil]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
...it is a bit more user input to filter and deal with. with that, it's possible to write several lines in a db/hibernate query where each uid equals a line of hack code. but I figure it could also be dealt with securely :?:

too bad more jforum members aren't developers, incl me. sorry not to help.
[originally posted on jforum.net by ken0]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Rafael Steil wrote:Well...

If you don't know your username, you will insert the email address to recover the password. And that's where the problem lives.



If you don't know your username, the system will check the provided email and register a securityHash to the record, and then an email will be sent tot he address.

If you have multiple accounts under the same email address, the system will use the first matching record.

A possible solution is to show all usernames related to that email account and ask the user to choose the one he wants to recorver. That should fix the "problem".

On the other hand, coulnd't this be considered some sort of securty flaw then?

Rafael

asking the user to choose which one he wants to recover will break the account/email privacy and that's bad.
My solution would be sending as many mails as account registered for the email.

But I hope I have been clear, the bug is not really there. The bug is that wether you know your account name or not if you have multiple accounts the check fails (the one after receiving the mail).

[originally posted on jforum.net by pala]
 
rubbery bacon. crispy tiny ad:
Smokeless wood heat with a rocket mass heater
https://woodheat.net
reply
    Bookmark Topic Watch Topic
  • New Topic