Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#2527 closed task (fixed)

Invalid token upon LDAP confirmation

Reported by: strk Owned by: sac@…
Priority: normal Milestone: Sysadmin Contract 2020-II
Component: SysAdmin Keywords:
Cc:

Description

Many users complain about Invalid token being returned by the LDAP account creation verification link (or password reset). These are due to their MUAs pre-visiting incoming links (some form of security treatment, which is instead an INSECURE way to do things, if you ask me, as visiting a link can DO something [as in this case]).

This ticket is to update the scripts (https://git.osgeo.org/gitea/sac/web-cgi-bin) to only act upon POST and provide a form which POSTs when clicking a button if called with a GET. This should fix this problem

Change History (3)

comment:1 by strk, 4 years ago

Resolution: fixed
Status: newclosed

I changed both password reset and account creation confirmation pages to require clicking a button on the web page. This should stop virulent MUAs confirming operations without users realizing it...

comment:2 by strk, 4 years ago

For the record, this was done with https://git.osgeo.org/gitea/sac/web-cgi-bin/commit/5f8fa208036454efa7f5d1b16ecc5b8221b72c88 and its four parent commits

comment:3 by strk, 4 years ago

For the record: the change was still not good enough, as it only printed the form on GET, instead with https://git.osgeo.org/gitea/sac/web-cgi-bin/commit/c1c657e8e76a6ec5345f8cf891c6ca00d05105d0 we always print the form UNLESS the method POST is used (some MUAs are using HEAD)

Note: See TracTickets for help on using tickets.