The password gets replaced by an automatic password, but not updated with the password entered in the
ChangePassword form.
MAIN branch, Template login.
--
TWiki:Main/ArthurClemens - 17 Mar 2008
tre odd. it was working for me last week in the trunk (I don't use apache auth much) perhaps you can give us more cfg details?
--
TWiki:Main.SvenDowideit - 18 Mar 2008
Do you mean current
LocalSite.cfg
settings?
--
TWiki:Main.ArthurClemens - 18 Mar 2008
may as well start with that y
--
TWiki:Main.SvenDowideit - 18 Mar 2008
These are my settings:
--
TWiki:Main.ArthurClemens - 18 Mar 2008
It happens as well with the TWiki 4.2 download.
I have found the cause:
- ChangePassword has a form action
manage
-
manage
script needs authentication (it is listed in configure under {AuthScripts}
)
- When the form is submitted it goes through TWiki authentication. Before
Manage.pm
is called the user gets returned to the login screen.
My temporary solution is to create a new
passwd
script:
ln -s manage passwd
... and to change the form action in ChangePassword from
manage
to
passwd
.
Of course this is a huge security risk. And you are also not logged in automatically, so after a password entry you need to enter it again in the login screen.
--
TWiki:Main.ArthurClemens - 26 Mar 2008
ouch :/
--
TWiki:Main.SvenDowideit - 31 Mar 2008
need to list all the uses of manage, and if they need to be authenticated. Then decide if we just test for auth-ness for those that need it, and if its not, send the user to the login.
--
TWiki:Main.SvenDowideit - 31 Mar 2008
basic issue is to know
why manage was added to the auth list, so we don't just re-re-re-break things
--
TWiki:Main.SvenDowideit - 31 Mar 2008
perhaps reset can be done via another script - like login..
--
TWiki:Main.SvenDowideit - 31 Mar 2008
Manage is used for bulkRegister, deleteUserAccount, saveSettings and restoreRevision. So that cannot be opened up. We can either use an existing script such as
login
, or create a new one, like
resetpassword
.
--
TWiki:Main.ArthurClemens - 01 Apr 2008
I think that we should change the UI so that you cannot change your password unless you are logged in.
Otherwise, we pre-suppose that TWiki is reliably able to authenticate (and create sessons etc) for
any random authentication system. (imagine an SSO setup where they have written a password manager that is able to send the SSO system a request to change the pwd)
--
TWiki:Main.SvenDowideit - 14 Apr 2008
So when I get a temp password in the mail, I first log in with the code? And then go back to ChangePassword to change my password?
--
TWiki:Main.ArthurClemens - 14 Apr 2008
correct. That seems to be a pretty standard flow in other web apps, and does actually give more control of security to the TWiki admin.
For example (I just thought of it):
If the TWiki is set up to be unencrypted for guest users, and then HTTPS to log in, and for all subsequent traffic (to provide encryption both for all passwords, and private content), the current implementation would provide a vector for passwords to leak via plain text.
Similarly, we should not pass the password as a url param - as this reveals it to every router and proxy along the route.
--
TWiki:Main.SvenDowideit - 14 Apr 2008
In the meeting we have agreed to proceed this way, and to make ChangePassword not viewable by TWikiGuest or twikiguest.
--
TWiki:Main.ArthurClemens - 15 Apr 2008
Also reported in
TWiki:Support.ResetPasswordFailure
--
TWiki:Main.ArthurClemens - 17 Apr 2008
Manage is used for bulkRegister, deleteUserAccount, saveSettings and restoreRevision - that's true, but each of those functions either tests for
TWikiAdminGroup or only permits the action on a logged-in user, doesn't it? I was under the impression that
manage
didn't have to be controlled in Apache. Happy to be proved wrong.
i changed the headline to reflect the analysis and marked this as Confirmed.
--
TWiki:Main.CrawfordCurrie - 02 May 2008
Remind me I am taking this on.
--
TWiki:Main.ArthurClemens - 12 May 2008
on considering what I will be doing for a client in
Item5623 I think that we should place
resetpasswd
on the
only definitely non-authed script -
login
. All other scripts in their locked down TWiki are unaccessible, and
logon
is really for apache auth..
personally I think forcing 'change password' to be post auth is ok..
--
TWiki:Main.SvenDowideit - 13 May 2008
actually,
isn't this a NON-BUG??
- reset password uses the already existing
resetpassword
script
- change password should be limited to already logged in users! - it is not impossible to change password if manage requires login specifically, because to change their password, they must know it, and thus should be logging in.
so I guess the only thing that needs doing, is to disable the
ChangePassword form unless they are logged in - with a message telling them to log in first.
--
TWiki:Main.SvenDowideit - 13 May 2008
Yes. We must force people to log in when viewing ChangePassword, and make it clear in the email.
--
TWiki:Main.ArthurClemens - 13 May 2008
I have added
DENYTOPICVIEW = TWikiGuest
.
--
TWiki:Main.ArthurClemens - 19 May 2008