Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#2527 closed task (fixed)

Invalid token upon LDAP confirmation

Reported by: strk Owned by: sac@…
Priority: normal Milestone: Sysadmin Contract 2020-II
Component: SysAdmin Keywords:


Many users complain about Invalid token being returned by the LDAP account creation verification link (or password reset). These are due to their MUAs pre-visiting incoming links (some form of security treatment, which is instead an INSECURE way to do things, if you ask me, as visiting a link can DO something [as in this case]).

This ticket is to update the scripts ( to only act upon POST and provide a form which POSTs when clicking a button if called with a GET. This should fix this problem

Change History (3)

comment:1 by strk, 4 years ago

Resolution: fixed
Status: newclosed

I changed both password reset and account creation confirmation pages to require clicking a button on the web page. This should stop virulent MUAs confirming operations without users realizing it...

comment:2 by strk, 4 years ago

For the record, this was done with and its four parent commits

comment:3 by strk, 4 years ago

For the record: the change was still not good enough, as it only printed the form on GET, instead with we always print the form UNLESS the method POST is used (some MUAs are using HEAD)

Note: See TracTickets for help on using tickets.