#2527 closed task (fixed)
Invalid token upon LDAP confirmation
| Reported by: | strk | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Sysadmin Contract 2020-II |
| Component: | SysAdmin | Keywords: | |
| Cc: |
Description
Many users complain about Invalid token being returned by the LDAP account creation verification link (or password reset). These are due to their MUAs pre-visiting incoming links (some form of security treatment, which is instead an INSECURE way to do things, if you ask me, as visiting a link can DO something [as in this case]).
This ticket is to update the scripts (https://git.osgeo.org/gitea/sac/web-cgi-bin) to only act upon POST and provide a form which POSTs when clicking a button if called with a GET. This should fix this problem
Change History (3)
comment:1 by , 4 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:2 by , 4 years ago
For the record, this was done with https://git.osgeo.org/gitea/sac/web-cgi-bin/commit/5f8fa208036454efa7f5d1b16ecc5b8221b72c88 and its four parent commits
comment:3 by , 4 years ago
For the record: the change was still not good enough, as it only printed the form on GET, instead with https://git.osgeo.org/gitea/sac/web-cgi-bin/commit/c1c657e8e76a6ec5345f8cf891c6ca00d05105d0 we always print the form UNLESS the method POST is used (some MUAs are using HEAD)
I changed both password reset and account creation confirmation pages to require clicking a button on the web page. This should stop virulent MUAs confirming operations without users realizing it...